CVE-2025-39697

05.09.2025, 18:15

In the Linux kernel, the following vulnerability has been resolved:

NFS: Fix a race when updating an existing write

After nfs_lock_and_join_requests() tests for whether the request is
still attached to the mapping, nothing prevents a call to
nfs_inode_remove_request() from succeeding until we actually lock the
page group.
The reason is that whoever called nfs_inode_remove_request() doesn't
necessarily have a lock on the page group head.

So in order to avoid races, let's take the page group lock earlier in
nfs_lock_and_join_requests(), and hold it across the removal of the
request in nfs_inode_remove_request().

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Linux	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Vendor	Product	Version
linux	linux_kernel	4.14 ≤ 𝑥 < 5.10.242
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.191
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.150
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.104
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.44
linux	linux_kernel	6.13 ≤ 𝑥 < 6.16.4
linux	linux_kernel	6.17:rc1
linux	linux_kernel	6.17:rc2
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	vulnerable
bullseye (security)	5.10.247-1 fixed
bookworm	6.1.159-1 fixed
bookworm (security)	6.1.158-1 fixed
trixie	6.12.63-1 fixed
trixie (security)	6.12.48-1 fixed
forky	6.17.13-1 fixed
sid	6.18.5-1 fixed

linux-6.1

bullseye (security)

6.1.159-1~deb11u1

fixed

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://git.kernel.org/stable/c/0ff42a32784e0f2cb46a46da8e9f473538c13e1b

https://git.kernel.org/stable/c/181feb41f0b268e6288bf9a7b984624d7fe2031d

https://git.kernel.org/stable/c/202a3432d21ac060629a760fff3b0a39859da3ea

https://git.kernel.org/stable/c/76d2e3890fb169168c73f2e4f8375c7cc24a765e

https://git.kernel.org/stable/c/92278ae36935a54e65fef9f8ea8efe7e80481ace

https://git.kernel.org/stable/c/c32e3c71aaa1c1ba05da88605e2ddd493c58794f

https://git.kernel.org/stable/c/f230d40147cc37eb3aef4d50e2e2c06ea73d9a77

https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html

https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html