CVE-2025-39744
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-11

Last updated on: 2025-11-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rcu_read_unlock() deadloop due to IRQ work During rcu_read_unlock_special(), if this happens during irq_exit(), we can lockup if an IPI is issued. This is because the IPI itself triggers the irq_exit() path causing a recursive lock up. This is precisely what Xiongfeng found when invoking a BPF program on the trace_tick_stop() tracepoint As shown in the trace below. Fix by managing the irq_work state correctly. irq_exit() __irq_exit_rcu() /* in_hardirq() returns false after this */ preempt_count_sub(HARDIRQ_OFFSET) tick_irq_exit() tick_nohz_irq_exit() tick_nohz_stop_sched_tick() trace_tick_stop() /* a bpf prog is hooked on this trace point */ __bpf_trace_tick_stop() bpf_trace_run2() rcu_read_unlock_special() /* will send a IPI to itself */ irq_work_queue_on(&rdp->defer_qs_iw, rdp->cpu); A simple reproducer can also be obtained by doing the following in tick_irq_exit(). It will hang on boot without the patch: static inline void tick_irq_exit(void) { + rcu_read_lock(); + WRITE_ONCE(current->rcu_read_unlock_special.b.need_qs, true); + rcu_read_unlock(); + [neeraj: Apply Frederic's suggested fix for PREEMPT_RT]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-11
Last Modified
2025-11-25
Generated
2026-06-16
AI Q&A
2025-09-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-39744
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a deadlock issue in the Linux kernel's rcu_read_unlock() function caused by improper handling of IRQ work during irq_exit(). Specifically, when rcu_read_unlock_special() is called during irq_exit(), an inter-processor interrupt (IPI) can trigger the irq_exit() path again, causing a recursive lockup. This happens because the IPI itself triggers irq_exit(), leading to a deadloop. The issue was discovered when running a BPF program on the trace_tick_stop() tracepoint and fixed by correctly managing the irq_work state.

Impact Analysis

This vulnerability can cause the system to hang or lock up, particularly during boot or when running certain BPF programs that trigger the affected code path. This can lead to denial of service as the kernel becomes unresponsive due to the deadlock.

Mitigation Strategies

Apply the patch that fixes the rcu_read_unlock() deadloop issue in the Linux kernel by correctly managing the irq_work state. This involves updating the kernel to a version that includes the fix for CVE-2025-39744.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-39744. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart