CVE-2025-39821

HIGH EPSS 4.4%
Published Sep 16, 20259mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Sep 16, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: perf: Avoid undefined behavior from stopping/starting inactive events Calling pmu->start()/stop() on perf events in PERF_EVENT_STATE_OFF can leave event->hw.idx at -1. When PMU drivers later attempt to use this negative index as a shift exponent in bitwise operations, it leads to UBSAN shift-out-of-bounds reports. The issue is a logical flaw in how event groups handle throttling when some members are intentionally disabled. Based on the analysis and the reproducer provided by Mark Rutland (this issue on both arm64 and x86-64). The scenario unfolds as follows: 1. A group leader event is configured with a very aggressive sampling period (e.g., sample_period = 1). This causes frequent interrupts and triggers the throttling mechanism. 2. A child event in the same group is created in a disabled state (.disabled = 1). This event remains in PERF_EVENT_STATE_OFF. Since it hasn't been scheduled onto the PMU, its event->hw.idx remains initialized at -1. 3. When throttling occurs, perf_event_throttle_group() and later perf_event_unthrottle_group() iterate through all siblings, including the disabled child event. 4. perf_event_throttle()/unthrottle() are called on this inactive child event, which then call event->pmu->start()/stop(). 5. The PMU driver receives the event with hw.idx == -1 and attempts to use it as a shift exponent. e.g., in macros like PMCNTENSET(idx), leading to the UBSAN report. The throttling mechanism attempts to start/stop events that are not actively scheduled on the hardware. Move the state check into perf_event_throttle()/perf_event_unthrottle() so that inactive events are skipped entirely. This ensures only active events with a valid hw.idx are processed, preventing undefined behavior and silencing UBSAN warnings. The corrected check ensures true before proceeding with PMU operations. The problem can be reproduced with the syzkaller reproducer:

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
4.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 3

VendorProductVersionRange
linuxlinux_kernel*≥6.16  –  <6.16.5
linuxlinux_kernel6.17any
linuxlinux_kernel6.17any

References 2

  • git.kernel.org https://git.kernel.org/stable/c/b64fdd422a85025b5e91ead794db9d3ef970e369
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d689135aa9c5e4e0eab5a92bbe35dab0c8d6677f
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/b64fdd422a85025b5e91ead794db9d3ef970e369
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d689135aa9c5e4e0eab5a92bbe35dab0c8d6677f
    Patch