CVE-2025-39691
Description
In the Linux kernel, the following vulnerability has been resolved:
fs/buffer: fix use-after-free when call bh_read() helper
There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace:
dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x2c/0x390 print_report+0xb4/0x270 kasan_report+0xb8/0xf0 end_buffer_read_sync+0xe3/0x110 end_bio_bh_io_sync+0x56/0x80 blk_update_request+0x30a/0x720 scsi_end_request+0x51/0x2b0 scsi_io_completion+0xe3/0x480 ? scsi_device_unbusy+0x11e/0x160 blk_complete_reqs+0x7b/0x90 handle_softirqs+0xef/0x370 irq_exit_rcu+0xa5/0xd0 sysvec_apic_timer_interrupt+0x6e/0x90
Above issue happens when do ntfs3 filesystem mount, issue may happens as follows: mount IRQ ntfs_fill_super read_cache_page do_read_cache_folio filemap_read_folio mpage_read_folio do_mpage_readpage ntfs_get_block_vbo bh_read submit_bh wait_on_buffer(bh); blk_complete_reqs scsi_io_completion scsi_end_request blk_update_request end_bio_bh_io_sync end_buffer_read_sync __end_buffer_read_notouch unlock_buffer
wait_on_buffer(bh);--> return will return to caller
put_bh --> trigger stack-out-of-bounds In the mpage_read_folio() function, the stack variable 'map_bh' is passed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and wait_on_buffer() returns to continue processing, the stack variable is likely to be reclaimed. Consequently, during the end_buffer_read_sync() process, calling put_bh() may result in stack overrun.
If the bh is not allocated on the stack, it belongs to a folio. Freeing a buffer head which belongs to a folio is done by drop_buffers() which will fail to free buffers which are still locked. So it is safe to call put_bh() before __end_buffer_read_notouch().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in the Linux kernel's buffer head (bh) read helper can cause stack out-of-bounds access during filesystem mount operations.
Vulnerability
Overview
CVE-2025-39691 is a use-after-free vulnerability in the Linux kernel's fs/buffer head (bh) read helper function bh_read(). The root cause is a race condition during filesystem mount operations, specifically when a stack-allocated buffer head (map_bh) is passed to ntfs_get_block_vbo() in the NTFS3 filesystem. After unlock_buffer() is called in the I/O completion path, the stack variable can be reclaimed before the put_bh()` call completes, leading to a stack out-of-bounds access [1].
Exploitation
Conditions
The vulnerability is triggered during the NTFS3 filesystem mount process. The attack surface requires an attacker to be able to mount a crafted NTFS filesystem image, which could be achieved via physical access, removable media, or a remote file share. No authentication is needed beyond the ability to trigger a mount operation. The race occurs between the mount thread and the block layer I/O completion interrupt handler, making it a time-of-check/time-of-use (TOCTOU) issue [1].
Impact
An attacker exploiting this vulnerability could cause a kernel crash (denial of service) due to the stack out-of-bounds access. In some configurations, this may lead to memory corruption or privilege escalation, though the primary impact is system instability. The CVSS v3 score is 7.8 indicates high severity [1].
Mitigation
The Linux kernel community has addressed this vulnerability in stable kernel updates. Patches are available in commits such as 042cf48ecf67 and 70a09115da58 [2][3][4]. Users should update their kernel to the latest stable kernel version for their distribution. Siemens has also listed this CVE in their SIMATIC CN 4100 product advisory (SSA-032379), recommending an upgrade to V5.0 or later [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 2.6.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- git.kernel.org/stable/c/03b40bf5d0389ca23ae6857ee25789f0e0b47ce8nvdPatch
- git.kernel.org/stable/c/042cf48ecf67f72c8b3846c7fac678f472712ff3nvdPatch
- git.kernel.org/stable/c/3169edb8945c295cf89120fc6b2c35cfe3ad4c9envdPatch
- git.kernel.org/stable/c/70a09115da586bf662c3bae9c0c4a1b99251fad9nvdPatch
- git.kernel.org/stable/c/7375f22495e7cd1c5b3b5af9dcc4f6dffe34ce49nvdPatch
- git.kernel.org/stable/c/90b5193edb323fefbee0e4e5bc39ed89dcc37719nvdPatch
- git.kernel.org/stable/c/c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4nvdPatch
- git.kernel.org/stable/c/c5aa6ba1127307ab5dc3773eaf40d73a3423841fnvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlnvdMailing ListThird Party Advisory
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdMailing ListThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories