CVE-2025-39816

Summary

In the Linux kernel, the following vulnerability has been resolved:

io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths

Since the buffers are mapped from userspace, it is prudent to use READ_ONCE() to read the value into a local variable, and use that for any other actions taken. Having a stable read of the buffer length avoids worrying about it changing after checking, or being read multiple times.

Similarly, the buffer may well change in between it being picked and being committed. Ensure the looping for incremental ring buffer commit stops if it hits a zero sized buffer, as no further progress can be made at that point.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxae98dbf43d755b4e111fcd086e53939bef3e9a1a < 695673eb5711ee5eb1769481cf1503714716a7d1affected
LinuxLinuxae98dbf43d755b4e111fcd086e53939bef3e9a1a < 91f262ea2a76a02d9e37dba6637cfe6feebb20a8affected
LinuxLinuxae98dbf43d755b4e111fcd086e53939bef3e9a1a < 390a61d284e1ced088d43928dfcf6f86fffdd780affected
LinuxLinuxae98dbf43d755b4e111fcd086e53939bef3e9a1a < 98b6fa62c84f2e129161e976a5b9b3cb4ccd117baffected
LinuxLinux6.12affected
LinuxLinux0 < 6.12unaffected
LinuxLinux6.12.49 <= 6.12.*unaffected
LinuxLinux6.12.81 <= 6.12.*unaffected
LinuxLinux6.16.5 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References