CVE-2025-39673
N/A
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ppp: fix race conditions in ppp_fill_forward_path
ppp_fill_forward_path() has two race conditions:
The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_entry() may access an empty head or a freed entry, and trigger a panic.
pch->chan can be NULL. When ppp_unregister_channel() is called, pch->chan is set to NULL before pch is removed from ppp->channels.
Fix these by using a lockless RCU approach:
- Use list_first_or_null_rcu() to safely test and access the first list entry.
- Convert list modifications on ppp->channels to their RCU variants and add synchronize_net() after removal.
- Check for a NULL pch->chan before dereferencing it.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | f6efc675c9dd8d93f826b79ae7e33e03301db609 < 9a1969fbffc1f1900d92d7594b1b7d8d72ef3dc7 | affected |
| Linux | Linux | f6efc675c9dd8d93f826b79ae7e33e03301db609 < 0f1630be6fcca3f0c63e4b242ad202e5cde28a40 | affected |
| Linux | Linux | f6efc675c9dd8d93f826b79ae7e33e03301db609 < ca18d751bcc9faf5b7e82e9fae1223d103928181 | affected |
| Linux | Linux | f6efc675c9dd8d93f826b79ae7e33e03301db609 < 94731cc551e29511d85aa8dec61a6c071b1f2430 | affected |
| Linux | Linux | f6efc675c9dd8d93f826b79ae7e33e03301db609 < f97f6475fdcb3c28ff3c55cc4b7bde632119ec08 | affected |
| Linux | Linux | f6efc675c9dd8d93f826b79ae7e33e03301db609 < 0417adf367a0af11adf7ace849af4638cfb573f7 | affected |
| Linux | Linux | 5.13 | affected |
| Linux | Linux | 0 < 5.13 | unaffected |
| Linux | Linux | 5.15.190 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.149 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.103 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.44 <= 6.12.* | unaffected |
| Linux | Linux | 6.16.4 <= 6.16.* | unaffected |
| Linux | Linux | 6.17 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
Additional References
References
- https://git.kernel.org/stable/c/9a1969fbffc1f1900d92d7594b1b7d8d72ef3dc7
- https://git.kernel.org/stable/c/0f1630be6fcca3f0c63e4b242ad202e5cde28a40
- https://git.kernel.org/stable/c/ca18d751bcc9faf5b7e82e9fae1223d103928181
- https://git.kernel.org/stable/c/94731cc551e29511d85aa8dec61a6c071b1f2430
- https://git.kernel.org/stable/c/f97f6475fdcb3c28ff3c55cc4b7bde632119ec08
- https://git.kernel.org/stable/c/0417adf367a0af11adf7ace849af4638cfb573f7
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.