CVE-2025-39966Race Condition in Linux

CWE-362Race ConditionCWE-416Use After Free5 documents5 sources
Severity
7.0HIGHNVD
EPSS
0.0%
top 99.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedOct 15

Description

In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix race during abort for file descriptors fput() doesn't actually call file_operations release() synchronously, it puts the file on a work queue and it will be released eventually. This is normally fine, except for iommufd the file and the iommufd_object are tied to gether. The file has the object as it's private_data and holds a users refcount, while the object is expected to remain alive as long as the file is. W

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages4 packages

NVDlinux/linux_kernel6.116.12.50+2
Debianlinux/linux_kernel< 6.12.57-1+1
CVEListV5linux/linux07838f7fd529c8a6de44b601d4b7057e6c8d36ed17195a7d754a5c6a31888702ca93f6f08f3383ad+3
debiandebian/linux< linux 6.16.10-1 (forky)

Patches

Patch: git.kernel.orgPatch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

2
OSV
CVE-2025-39966: In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix race during abort for file descriptors fput() doesn't actually call f2025-10-15
GHSA
GHSA-jrgc-8xmv-4r2m: In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix race during abort for file descriptors fput() doesn't actually call2025-10-15

📋Vendor Advisories

2
Red Hat
kernel: iommufd: Fix race during abort for file descriptors2025-10-15
Debian
CVE-2025-39966: linux - In the Linux kernel, the following vulnerability has been resolved: iommufd: Fi...2025