Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-39726— s390/ism: fix concurrency management in ism_cmd()

EPSS 0.01% · P3

Affected Version Matrix 10

VendorProductVersion RangeStatus
LinuxLinux684b89bc39ce4f204b1a2b180f39f2eb36a6b695< faf44487dfc80817f178dc8de7a0b73f960d019baffected
684b89bc39ce4f204b1a2b180f39f2eb36a6b695< 1194ad0d44d66b273a02a3a22882dc863a68d764affected
684b89bc39ce4f204b1a2b180f39f2eb36a6b695< fafaa4982bedb5532f5952000f714a3e63023f40affected
684b89bc39ce4f204b1a2b180f39f2eb36a6b695< 897e8601b9cff1d054cdd53047f568b0e1995726affected
4.19affected
< 4.19unaffected
6.6.101≤ 6.6.*unaffected
6.12.41≤ 6.12.*unaffected
… +2 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-39726

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
s390/ism: fix concurrency management in ism_cmd()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: s390/ism: fix concurrency management in ism_cmd() The s390x ISM device data sheet clearly states that only one request-response sequence is allowable per ISM function at any point in time. Unfortunately as of today the s390/ism driver in Linux does not honor that requirement. This patch aims to rectify that. This problem was discovered based on Aliaksei's bug report which states that for certain workloads the ISM functions end up entering error state (with PEC 2 as seen from the logs) after a while and as a consequence connections handled by the respective function break, and for future connection requests the ISM device is not considered -- given it is in a dysfunctional state. During further debugging PEC 3A was observed as well. A kernel message like [ 1211.244319] zpci: 061a:00:00.0: Event 0x2 reports an error for PCI function 0x61a is a reliable indicator of the stated function entering error state with PEC 2. Let me also point out that a kernel message like [ 1211.244325] zpci: 061a:00:00.0: The ism driver bound to the device does not support error recovery is a reliable indicator that the ISM function won't be auto-recovered because the ISM driver currently lacks support for it. On a technical level, without this synchronization, commands (inputs to the FW) may be partially or fully overwritten (corrupted) by another CPU trying to issue commands on the same function. There is hard evidence that this can lead to DMB token values being used as DMB IOVAs, leading to PEC 2 PCI events indicating invalid DMA. But this is only one of the failure modes imaginable. In theory even completely losing one command and executing another one twice and then trying to interpret the outputs as if the command we intended to execute was actually executed and not the other one is also possible. Frankly, I don't feel confident about providing an exhaustive list of possible consequences.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于并发管理不当,可能导致设备进入错误状态。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 684b89bc39ce4f204b1a2b180f39f2eb36a6b695 ~ faf44487dfc80817f178dc8de7a0b73f960d019b -
LinuxLinux 4.19 -

II. Public POCs for CVE-2025-39726

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-39726

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-09-05 · 60 CVEs total

CVE-2025-39706drm/amdkfd: Destroy KFD debugfs after destroy KFD wq
CVE-2025-39724serial: 8250: fix panic due to PSLVERR
CVE-2025-39721crypto: qat - flush misc workqueue during device shutdown
CVE-2025-39720ksmbd: fix refcount leak causing resource not released
CVE-2025-39719iio: imu: bno055: fix OOB access of hw_xlate array
CVE-2025-39722crypto: caam - Prevent crash on suspend with iMX8QM / iMX8ULP
CVE-2025-39710media: venus: Add a check for packet size after reading from shared memory
CVE-2025-39709media: venus: protect against spurious interrupts during probe
CVE-2025-39708media: iris: Fix NULL pointer dereference
CVE-2025-39707drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities
CVE-2025-39711media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls
CVE-2025-39705drm/amd/display: fix a Null pointer dereference vulnerability
CVE-2025-39704LoongArch: KVM: Fix stack protector issue in send_ipi_data()
CVE-2025-39703net, hsr: reject HSR frame if skb can't hold tag
CVE-2025-39702ipv6: sr: Fix MAC comparison to be constant-time
CVE-2025-39701ACPI: pfr_update: Fix the driver update version check
CVE-2025-39700mm/damon/ops-common: ignore migration request to invalid nodes
CVE-2025-39699iommu/riscv: prevent NULL deref in iova_to_phys
CVE-2025-39698io_uring/futex: ensure io_futex_wait() cleans up properly on failure
CVE-2025-39697NFS: Fix a race when updating an existing write

Showing top 20 of 60 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-39726

No comments yet

Leave a comment