CVE-2025-39977

NONE EPSS 8.6%
Published Oct 15, 20258mo ago · Modified Jun 17, 20261w ago
Find Similar
Published Oct 15, 2025 8mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: futex: Prevent use-after-free during requeue-PI syzbot managed to trigger the following race: T1 T2 futex_wait_requeue_pi() futex_do_wait() schedule() futex_requeue() futex_proxy_trylock_atomic() futex_requeue_pi_prepare() requeue_pi_wake_futex() futex_requeue_pi_complete() /* preempt */ * timeout/ signal wakes T1 * futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED futex_hash_put() // back to userland, on stack futex_q is garbage /* back */ wake_up_state(q->task, TASK_NORMAL); In this scenario futex_wait_requeue_pi() is able to leave without using futex_q::lock_ptr for synchronization. This can be prevented by reading futex_q::task before updating the futex_q::requeue_state. A reference on the task_struct is not needed because requeue_pi_wake_futex() is invoked with a spinlock_t held which implies a RCU read section. Even if T1 terminates immediately after, the task_struct will remain valid during T2's wake_up_state(). A READ_ONCE on futex_q::task before futex_requeue_pi_complete() is enough because it ensures that the variable is read before the state is updated. Read futex_q::task before updating the requeue state, use it for the following wakeup.

Threat Intelligence

EPSS Exploit Probability
8.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 6

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-082556.html
  • git.kernel.org https://git.kernel.org/stable/c/348736955ed6ca6e99ca24b93b1d3fbfe352c181
  • git.kernel.org https://git.kernel.org/stable/c/a170b9c0dde83312b8b58ccc91509c7c15711641
  • git.kernel.org https://git.kernel.org/stable/c/b549113738e8c751b613118032a724b772aa83f2
  • git.kernel.org https://git.kernel.org/stable/c/cb5d19a61274b51b49601214a87af573b43d60fa
  • git.kernel.org https://git.kernel.org/stable/c/d824b2dbdcfe3c390278dd9652ea526168ef6850

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.