CVE-2025-39673— ppp: fix race conditions in ppp_fill_forward_path
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-39673
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ppp: fix race conditions in ppp_fill_forward_path
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp_fill_forward_path ppp_fill_forward_path() has two race conditions: 1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_entry() may access an empty head or a freed entry, and trigger a panic. 2. pch->chan can be NULL. When ppp_unregister_channel() is called, pch->chan is set to NULL before pch is removed from ppp->channels. Fix these by using a lockless RCU approach: - Use list_first_or_null_rcu() to safely test and access the first list entry. - Convert list modifications on ppp->channels to their RCU variants and add synchronize_net() after removal. - Check for a NULL pch->chan before dereferencing it.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于ppp_fill_forward_path中存在竞争条件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-39673
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-39673
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-09-05 · 60 CVEs total
| CVE-2025-39707 | drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities | |
| CVE-2025-39725 | mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list | |
| CVE-2025-39722 | crypto: caam - Prevent crash on suspend with iMX8QM / iMX8ULP | |
| CVE-2025-39721 | crypto: qat - flush misc workqueue during device shutdown | |
| CVE-2025-39720 | ksmbd: fix refcount leak causing resource not released | |
| CVE-2025-39723 | netfs: Fix unbuffered write error handling | |
| CVE-2025-39711 | media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls | |
| CVE-2025-39710 | media: venus: Add a check for packet size after reading from shared memory | |
| CVE-2025-39709 | media: venus: protect against spurious interrupts during probe | |
| CVE-2025-39708 | media: iris: Fix NULL pointer dereference | |
| CVE-2025-39712 | media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval | |
| CVE-2025-39706 | drm/amdkfd: Destroy KFD debugfs after destroy KFD wq | |
| CVE-2025-39705 | drm/amd/display: fix a Null pointer dereference vulnerability | |
| CVE-2025-39704 | LoongArch: KVM: Fix stack protector issue in send_ipi_data() | |
| CVE-2025-39703 | net, hsr: reject HSR frame if skb can't hold tag | |
| CVE-2025-39702 | ipv6: sr: Fix MAC comparison to be constant-time | |
| CVE-2025-39701 | ACPI: pfr_update: Fix the driver update version check | |
| CVE-2025-39700 | mm/damon/ops-common: ignore migration request to invalid nodes | |
| CVE-2025-39699 | iommu/riscv: prevent NULL deref in iova_to_phys | |
| CVE-2025-39698 | io_uring/futex: ensure io_futex_wait() cleans up properly on failure |
Showing top 20 of 60 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2025-39673
No comments yet