CVE-2025-39673

MEDIUM

Linux Kernel 5.13-5.15.190 5.16-6.1.149 6.2-6.6.103 6.7-6.12.44 6.13-6.16.4 - Race Condition in ppp_fill_forward_path

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp_fill_forward_path ppp_fill_forward_path() has two race conditions: 1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_entry() may access an empty head or a freed entry, and trigger a panic. 2. pch->chan can be NULL. When ppp_unregister_channel() is called, pch->chan is set to NULL before pch is removed from ppp->channels. Fix these by using a lockless RCU approach: - Use list_first_or_null_rcu() to safely test and access the first list entry. - Convert list modifications on ppp->channels to their RCU variants and add synchronize_net() after removal. - Check for a NULL pch->chan before dereferencing it.

References (8)

Core 8

Scores

CVSS v3 4.7
EPSS 0.0002
EPSS Percentile 5.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-362
Status published
Products (22)
debian/debian_linux 11.0
linux/Kernel 5.13.0 - 5.15.190linux
linux/Kernel 5.16.0 - 6.1.149linux
linux/Kernel 6.13.0 - 6.16.4linux
linux/Kernel 6.2.0 - 6.6.103linux
linux/Kernel 6.7.0 - 6.12.44linux
Linux/Linux < 5.13
Linux/Linux 5.13
Linux/Linux 5.15.190 - 5.15.*
Linux/Linux 6.1.149 - 6.1.*
... and 12 more
Published Sep 05, 2025
Tracked Since Feb 18, 2026