CVE-2025-39866— fs: writeback: fix use-after-free in __mark_inode_dirty()
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-39866
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
fs: writeback: fix use-after-free in __mark_inode_dirty()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mark_inode_dirty+0x124/0x418 lr : __mark_inode_dirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: __mark_inode_dirty+0x124/0x418 generic_update_time+0x4c/0x60 file_modified+0xcc/0xd0 ext4_buffered_write_iter+0x58/0x124 ext4_file_write_iter+0x54/0x704 vfs_write+0x1c0/0x308 ksys_write+0x74/0x10c __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x40/0xe4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x194/0x198 Root cause is: systemd-random-seed kworker ---------------------------------------------------------------------- ___mark_inode_dirty inode_switch_wbs_work_fn spin_lock(&inode->i_lock); inode_attach_wb locked_inode_to_wb_and_lock_list get inode->i_wb spin_unlock(&inode->i_lock); spin_lock(&wb->list_lock) spin_lock(&inode->i_lock) inode_io_list_move_locked spin_unlock(&wb->list_lock) spin_unlock(&inode->i_lock) spin_lock(&old_wb->list_lock) inode_do_switch_wbs spin_lock(&inode->i_lock) inode->i_wb = new_wb spin_unlock(&inode->i_lock) spin_unlock(&old_wb->list_lock) wb_put_many(old_wb, nr_switched) cgwb_release old wb released wb_wakeup_delayed() accesses wb, then trigger the use-after-free issue Fix this race condition by holding inode spinlock until wb_wakeup_delayed() finished.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于__mark_inode_dirty函数中存在释放后重用问题。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-39866
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Proof of concept for CVE-2025-39866 (UAF and race condition) | https://github.com/byteReaper77/CVE-2025-39866 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-39866
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-09-19 · 30 CVEs total
| CVE-2025-39852 | net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 | |
| CVE-2025-39837 | platform/x86: asus-wmi: Fix racy registrations | |
| CVE-2025-39838 | cifs: prevent NULL pointer dereference in UTF16 conversion | |
| CVE-2025-39839 | batman-adv: fix OOB read/write in network-coding decode | |
| CVE-2025-39840 | audit: fix out-of-bounds read in audit_compare_dname_path() | |
| CVE-2025-39841 | scsi: lpfc: Fix buffer free/clear order in deferred receive path | |
| CVE-2025-39842 | ocfs2: prevent release journal inode after journal shutdown | |
| CVE-2025-39844 | mm: move page table sync declarations to linux/pgtable.h | |
| CVE-2025-39843 | mm: slub: avoid wake up kswapd in set_track_prepare | |
| CVE-2025-39845 | x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() | |
| CVE-2025-39846 | pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() | |
| CVE-2025-39847 | ppp: fix memory leak in pad_compress_skb | |
| CVE-2025-39848 | ax25: properly unshare skbs in ax25_kiss_rcv() | |
| CVE-2025-39849 | wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() | |
| CVE-2025-39850 | vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects | |
| CVE-2025-39865 | tee: fix NULL pointer dereference in tee_shm_put | |
| CVE-2025-39851 | vxlan: Fix NPD when refreshing an FDB entry with a nexthop object | |
| CVE-2025-39853 | i40e: Fix potential invalid access when MAC list is empty | |
| CVE-2025-39854 | ice: fix NULL access of tx->in_use in ice_ll_ts_intr | |
| CVE-2025-39856 | net: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for ndev |
Showing top 20 of 30 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2025-39866
No comments yet