CVE-2025-39821
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-12-02

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: perf: Avoid undefined behavior from stopping/starting inactive events Calling pmu->start()/stop() on perf events in PERF_EVENT_STATE_OFF can leave event->hw.idx at -1. When PMU drivers later attempt to use this negative index as a shift exponent in bitwise operations, it leads to UBSAN shift-out-of-bounds reports. The issue is a logical flaw in how event groups handle throttling when some members are intentionally disabled. Based on the analysis and the reproducer provided by Mark Rutland (this issue on both arm64 and x86-64). The scenario unfolds as follows: 1. A group leader event is configured with a very aggressive sampling period (e.g., sample_period = 1). This causes frequent interrupts and triggers the throttling mechanism. 2. A child event in the same group is created in a disabled state (.disabled = 1). This event remains in PERF_EVENT_STATE_OFF. Since it hasn't been scheduled onto the PMU, its event->hw.idx remains initialized at -1. 3. When throttling occurs, perf_event_throttle_group() and later perf_event_unthrottle_group() iterate through all siblings, including the disabled child event. 4. perf_event_throttle()/unthrottle() are called on this inactive child event, which then call event->pmu->start()/stop(). 5. The PMU driver receives the event with hw.idx == -1 and attempts to use it as a shift exponent. e.g., in macros like PMCNTENSET(idx), leading to the UBSAN report. The throttling mechanism attempts to start/stop events that are not actively scheduled on the hardware. Move the state check into perf_event_throttle()/perf_event_unthrottle() so that inactive events are skipped entirely. This ensures only active events with a valid hw.idx are processed, preventing undefined behavior and silencing UBSAN warnings. The corrected check ensures true before proceeding with PMU operations. The problem can be reproduced with the syzkaller reproducer:
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-12-02
Generated
2026-05-07
AI Q&A
2025-09-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39821
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.16 (inc) to 6.16.5 (exc)
linux linux_kernel 6.17
linux linux_kernel 6.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's perf subsystem where calling start()/stop() on perf events that are inactive (in PERF_EVENT_STATE_OFF) causes the event's hardware index (hw.idx) to remain at -1. Later, when the PMU driver uses this negative index as a shift exponent in bitwise operations, it leads to undefined behavior and UBSAN shift-out-of-bounds errors. The root cause is a logical flaw in handling event groups with some disabled members during throttling, where inactive events are incorrectly processed. The fix involves skipping inactive events during throttling to prevent these invalid operations.


How can this vulnerability impact me? :

This vulnerability can cause undefined behavior in the Linux kernel's perf subsystem, potentially leading to kernel warnings or errors due to invalid bitwise operations on negative indices. While it does not directly indicate a security breach, such undefined behavior can affect system stability or reliability when using performance monitoring features, especially under heavy sampling and throttling conditions.


What immediate steps should I take to mitigate this vulnerability?

Update the Linux kernel to a version that includes the fix for this vulnerability, which moves the state check into perf_event_throttle()/perf_event_unthrottle() to skip inactive events and prevent undefined behavior. Avoid using perf events with disabled child events in aggressive sampling configurations until the patch is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart