CVE-2025-39783
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-11

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix configfs group list head handling Doing a list_del() on the epf_group field of struct pci_epf_driver in pci_epf_remove_cfs() is not correct as this field is a list head, not a list entry. This list_del() call triggers a KASAN warning when an endpoint function driver which has a configfs attribute group is torn down: ================================================================== BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198 Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319 CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE Hardware name: Radxa ROCK 5B (DT) Call trace: show_stack+0x2c/0x84 (C) dump_stack_lvl+0x70/0x98 print_report+0x17c/0x538 kasan_report+0xb8/0x190 __asan_report_store8_noabort+0x20/0x2c pci_epf_remove_cfs+0x17c/0x198 pci_epf_unregister_driver+0x18/0x30 nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf] __arm64_sys_delete_module+0x264/0x424 invoke_syscall+0x70/0x260 el0_svc_common.constprop.0+0xac/0x230 do_el0_svc+0x40/0x58 el0_svc+0x48/0xdc el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x19c ... Remove this incorrect list_del() call from pci_epf_remove_cfs().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-11
Last Modified
2025-11-03
Generated
2026-05-07
AI Q&A
2025-09-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39783
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.1.153-1
linux linux_kernel 5.10.244-1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a flaw in the Linux kernel's PCI endpoint function driver code. Specifically, it involves an incorrect use of the list_del() function on a list head field (epf_group) in the pci_epf_remove_cfs() function. This misuse causes a Kernel Address Sanitizer (KASAN) warning due to a use-after-free error when tearing down an endpoint function driver that has a configfs attribute group. Essentially, the kernel attempts to remove a list head as if it were a list entry, leading to memory corruption issues.


How can this vulnerability impact me? :

This vulnerability can lead to memory corruption in the Linux kernel, specifically a use-after-free condition. This can cause system instability, crashes, or potentially allow an attacker with the ability to unload kernel modules to execute arbitrary code or escalate privileges. The impact depends on the environment and whether the vulnerable code path is exercised.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for KASAN (Kernel Address Sanitizer) warnings related to slab-use-after-free errors in the pci_epf_remove_cfs function. Specifically, look for kernel logs indicating a BUG: KASAN slab-use-after-free in pci_epf_remove_cfs with messages about list_del() misuse. You can check kernel logs using commands like `dmesg | grep -i kasan` or `journalctl -k | grep -i kasan` to find relevant error messages.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation is to apply the patch that removes the incorrect list_del() call from the pci_epf_remove_cfs function in the Linux kernel. Until the patch is applied, avoid unloading endpoint function drivers with configfs attribute groups to prevent triggering the use-after-free error. Monitoring and updating to a kernel version that includes this fix is recommended.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart