CVE-2025-39977
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-10-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: futex: Prevent use-after-free during requeue-PI syzbot managed to trigger the following race: T1 T2 futex_wait_requeue_pi() futex_do_wait() schedule() futex_requeue() futex_proxy_trylock_atomic() futex_requeue_pi_prepare() requeue_pi_wake_futex() futex_requeue_pi_complete() /* preempt */ * timeout/ signal wakes T1 * futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED futex_hash_put() // back to userland, on stack futex_q is garbage /* back */ wake_up_state(q->task, TASK_NORMAL); In this scenario futex_wait_requeue_pi() is able to leave without using futex_q::lock_ptr for synchronization. This can be prevented by reading futex_q::task before updating the futex_q::requeue_state. A reference on the task_struct is not needed because requeue_pi_wake_futex() is invoked with a spinlock_t held which implies a RCU read section. Even if T1 terminates immediately after, the task_struct will remain valid during T2's wake_up_state(). A READ_ONCE on futex_q::task before futex_requeue_pi_complete() is enough because it ensures that the variable is read before the state is updated. Read futex_q::task before updating the requeue state, use it for the following wakeup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-10-16
Generated
2026-05-07
AI Q&A
2025-10-15
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39977
EUVD
EUVD-2025-34595
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free issue in the Linux kernel's futex subsystem during the requeue-PI operation. It involves a race condition between two threads (T1 and T2) where T1 can leave the futex_wait_requeue_pi() function without proper synchronization, causing futex_q to become garbage on the stack. This happens because futex_q::lock_ptr is not used correctly for synchronization. The fix involves reading futex_q::task before updating the requeue state to ensure the task_struct remains valid during wake-up, preventing the use-after-free condition.


How can this vulnerability impact me? :

This vulnerability can lead to a use-after-free condition in the Linux kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the race condition in the futex subsystem.


What immediate steps should I take to mitigate this vulnerability?

Update the Linux kernel to a version that includes the fix for the futex use-after-free vulnerability during requeue-PI. The fix involves reading futex_q::task before updating the requeue state to prevent the race condition. Applying the latest kernel patches or updates from your Linux distribution vendor that address this issue is the recommended mitigation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart