CVE-2025-39715
Description
In the Linux kernel, the following vulnerability has been resolved:
parisc: Revise gateway LWS calls to probe user read access
We use load and stbys,e instructions to trigger memory reference interruptions without writing to memory. Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel and gateway page execute at privilege level 0, so this code never triggers a read access interruption. Thus, it is currently possible for user code to execute a LWS compare and swap operation at an address that is read protected at privilege level 3 (PRIV_USER).
Fix this by probing read access rights at privilege level 3 and branching to lws_fault if access isn't allowed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a parisc LWS gateway call could bypass user read protection, allowing operations on read-protected memory.
Vulnerability
Analysis
CVE-2025-39715 is a vulnerability in the Linux kernel's parisc kernel's parisc architecture. The issue lies in the gateway Lightweighted Lightweight System (LWS) calls, specifically the compare-and-swap operation. The kernel uses load and stbys,e instructions to trigger memory reference interruptions without writing to memory. However, read access interruptions are only triggered at privilege levels 2 and 3, while the kernel and gateway page execute at privilege level 0. Consequently, the code never triggers a read access interruption, allowing user code to execute a LWS compare and swap operation at an address that is read-protected at privilege level 3 (PRIV_USER).
Exploitation
An attacker with local user access on a parisc system could exploit this by crafting a LWS call targeting a read-protected memory region. The attack requires no special privileges beyond user-level access, but the attacker must be able to execute user-space code. The vulnerability is triggered by the kernel's failure to properly probe read access rights before performing the LWS operation.
Impact
Successful exploitation could allow an attacker to perform a compare-and-swap operation on memory that should be read-protected. This could lead to unauthorized modification of kernel or other process memory, potentially resulting in privilege escalation or system instability. The CVSS v3 score of 5.5 (Medium) reflects the need for local access and the potential for significant impact.
Mitigation
The fix, as described in the kernel commit, probes read access rights at privilege level 3 and branches to lws_fault if access is not allowed. The patch has been applied to the stable kernel tree [2][3][4]. Users should update their Linux kernel to a version containing this fix. The vulnerability is also listed as affecting Siemens SIMATIC CN 4100 devices [1], which should apply the vendor-provided remediation.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 5.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/8bccf47adbf658293528e86960e6d6f736b1c9f7nvdPatch
- git.kernel.org/stable/c/9b6af875baba9c4679b55f4561e201485451305fnvdPatch
- git.kernel.org/stable/c/bc0a24c24ceebabb5ba65900e332233d79e625e6nvdPatch
- git.kernel.org/stable/c/e8b496c52aa0c6572d88db7cab85aeea6f9c194dnvdPatch
- git.kernel.org/stable/c/f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories