CVE-2025-39689
Description
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Also allocate and copy hash for reading of filter files
Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds the pointer to the global tracer hash to its iterator. Unlike the writer that allocates a copy of the hash, the reader keeps the pointer to the filter hashes. This is problematic because this pointer is static across function calls that release the locks that can update the global tracer hashes. This can cause UAF and similar bugs.
Allocate and copy the hash for reading the filter files like it is done for the writers. This not only fixes UAF bugs, but also makes the code a bit simpler as it doesn't have to differentiate when to free the iterator's hash between writers and readers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's ftrace, reading filter files without copying the global hash can cause a use-after-free, potentially leading to memory corruption and privilege escalation.
The vulnerability exists in the Linux kernel's ftrace subsystem. When reading the set_ftrace_filter or set_ftrace_notrace files, the reader used a pointer directly to the global tracer hash without making a local copy. This pointer remained static across function calls that release locks, allowing the hash to be modified concurrently and causing a use-after-free bug.
Exploitation requires local access to the ftrace files and the ability to trigger a race condition where the filter hash is updated while another thread reads the file. This can be achieved by a local attacker with sufficient privileges to access these files and perform concurrent modifications.
A successful exploit can lead to memory corruption, potentially resulting in privilege escalation or a system crash. The vulnerability has been assigned a CVSS score of 7.8 (High).
The fix allocates and copies the hash for reading, similar to the writer's approach, thereby preventing the use-after-free. Patches are available from the Linux kernel stable repository.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 4.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- git.kernel.org/stable/c/12064e1880fc9202be75ff668205b1703d92f74fnvdPatch
- git.kernel.org/stable/c/3b114a3282ab1a12cb4618a8f45db5d7185e784anvdPatch
- git.kernel.org/stable/c/64db338140d2bad99a0a8c6a118dd60b3e1fb8cbnvdPatch
- git.kernel.org/stable/c/a40c69f4f1ed96acbcd62e9b5ff3a596f0a91309nvdPatch
- git.kernel.org/stable/c/bfb336cf97df7b37b2b2edec0f69773e06d11955nvdPatch
- git.kernel.org/stable/c/c4cd93811e038d19f961985735ef7bb128078dfbnvdPatch
- git.kernel.org/stable/c/c591ba1acd081d4980713e47869dd1cc3d963d19nvdPatch
- git.kernel.org/stable/c/e0b6b223167e1edde5c82edf38e393c06eda1f13nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlnvdMailing ListThird Party Advisory
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdMailing ListThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
- cert-portal.siemens.com/productcert/html/ssa-082556.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories