VYPR
← All advisories
High severity7.0NVD Advisory· Published Sep 11, 2025· Updated May 12, 2026

CVE-2025-39749

CVE-2025-39749

Description

In the Linux kernel, the following vulnerability has been resolved:

rcu: Protect ->defer_qs_iw_pending from data race

On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is invoked within an interrupts-disabled region of code [1], it will invoke rcu_read_unlock_special(), which uses an irq-work handler to force the system to notice when the RCU read-side critical section actually ends. That end won't happen until interrupts are enabled at the soonest.

In some kernels, such as those booted with rcutree.use_softirq=y, the irq-work handler is used unconditionally.

The per-CPU rcu_data structure's ->defer_qs_iw_pending field is updated by the irq-work handler and is both read and updated by rcu_read_unlock_special(). This resulted in the following KCSAN splat:

------------------------------------------------------------------------

BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special

read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8: rcu_read_unlock_special+0x175/0x260 __rcu_read_unlock+0x92/0xa0 rt_spin_unlock+0x9b/0xc0 __local_bh_enable+0x10d/0x170 __local_bh_enable_ip+0xfb/0x150 rcu_do_batch+0x595/0xc40 rcu_cpu_kthread+0x4e9/0x830 smpboot_thread_fn+0x24d/0x3b0 kthread+0x3bd/0x410 ret_from_fork+0x35/0x40 ret_from_fork_asm+0x1a/0x30

write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8: rcu_preempt_deferred_qs_handler+0x1e/0x30 irq_work_single+0xaf/0x160 run_irq_workd+0x91/0xc0 smpboot_thread_fn+0x24d/0x3b0 kthread+0x3bd/0x410 ret_from_fork+0x35/0x40 ret_from_fork_asm+0x1a/0x30

no locks held by irq_work/8/88. irq event stamp: 200272 hardirqs last enabled at (200272): [] finish_task_switch+0x131/0x320 hardirqs last disabled at (200271): [] __schedule+0x129/0xd70 softirqs last enabled at (0): [] copy_process+0x4df/0x1cc0 softirqs last disabled at (0): [<0000000000000000>] 0x0

------------------------------------------------------------------------

The problem is that irq-work handlers run with interrupts enabled, which means that rcu_preempt_deferred_qs_handler() could be interrupted, and that interrupt handler might contain an RCU read-side critical section, which might invoke rcu_read_unlock_special(). In the strict KCSAN mode of operation used by RCU, this constitutes a data race on the ->defer_qs_iw_pending field.

This commit therefore disables interrupts across the portion of the rcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending field. This suffices because this handler is not a fast path.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A data race in the Linux kernel's RCU subsystem, where the ->defer_qs_iw_pending field is accessed without proper synchronization, can lead to unpredictable behavior.

Vulnerability

Overview

CVE- CVE-2025-39749 is a data race vulnerability in the Linux kernel's Read-Copy-Update (RCU) subsystem. The issue occurs in the rcu_read_unlock_special() function and the rcu_preempt_deferred_qs_handler() irq-work handler, which concurrently read and write the ->defer_qs_iw_pending field of the per-CPU rcu_data structure without proper synchronization [1]. This race condition was detected by the Kernel Concurrency Sanitizer (KCSAN) tool, which reported a data race between a read in rcu_read_unlock_special() and a write in rcu_preempt_deferred_qs_handler() [1].

Exploitation and

Attack Surface

  • The vulnerability is triggered when rcu_read_unlock() is called within an interrupts-disabled region of code, causing rcu_read_unlock_special() to use an irq-work handler to defer the completion of the RCU read-side critical section until interrupts are re-enabled [1]. On kernels built with CONFIG_IRQ_WORK=y or booted with rcutree.use_softirq=y, the irq-work handler is used unconditionally, making the race condition more likely to occur [1]. An attacker would need to be able to execute code on the target system to trigger this race, but no special privileges are required beyond the ability to invoke RCU read-side critical sections in the described context.

Impact

  • A successful exploitation of this data race could lead to unpredictable behavior in the RCU subsystem, potentially causing memory corruption, system crashes, or other instability [1]. The exact impact depends on the outcome of the race, but it could allow an attacker to corrupt kernel data structures or cause a denial of service [1]. The vulnerability is rated as High severity with a CVSS v3 score of 7.0, indicating a significant risk to system availability and integrity.

Mitigation

  • The fix for this vulnerability is included in the Linux kernel stable updates, with patches available in commits such as b55947b725f1, e35e711c78c8, and 0ad84d622174 [2][3][4]. Users are advised to update their kernel to a version containing the fix. The Siemens advisory SSA-032379 lists this CVE as affecting SIMATIC CN 4100 devices running versions prior to V5.0, and recommends updating to V5.0 or later [1].
References
  1. SSA-032379
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

12

News mentions

1