VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Sep 16, 2025· Updated Apr 11, 2026

CVE-2025-39816

CVE-2025-39816

Description

In the Linux kernel, the following vulnerability has been resolved:

io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths

Since the buffers are mapped from userspace, it is prudent to use READ_ONCE() to read the value into a local variable, and use that for any other actions taken. Having a stable read of the buffer length avoids worrying about it changing after checking, or being read multiple times.

Similarly, the buffer may well change in between it being picked and being committed. Ensure the looping for incremental ring buffer commit stops if it hits a zero sized buffer, as no further progress can be made at that point.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing READ_ONCE() in io_uring/kbuf allows userspace to race buffer length reads, potentially causing kernel memory corruption.

Vulnerability

CVE-2025-39816 is a race condition in the Linux kernel's io_uring subsystem, specifically in the buffer ring (kbuf) implementation. The kernel reads buffer lengths from userspace-mapped memory without using READ_ONCE(), meaning the value can change between reads or be read multiple times inconsistently [1][2]. This can lead to the kernel operating on stale or inconsistent buffer length values.

Exploitation

Exploitation

An attacker with the ability to map and modify the shared buffer ring from userspace can exploit this race. By rapidly changing the buffer length field after the kernel reads it but before it commits the buffer, the attacker can cause the kernel to use an incorrect length. The fix also ensures that if a zero-length buffers stop the incremental commit loop, preventing further progress [1][2].

Impact

Successful exploitation could allow an attacker to corrupt kernel memory, potentially leading to a denial of service (system crash) or, in more severe scenarios, privilege escalation. The CVSS v3 score of 5.5 (Medium) reflects the need for local access and the potential for high impact on integrity and availability.

Mitigation

The vulnerability is fixed in the Linux kernel by commits 390a61d284e1 and 695673eb5711 [1][2]. Users should apply the latest stable kernel updates to mitigate the issue.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

5
  • Linux/Kernel5 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.12,<6.12.49
    • cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*
    • (no CPE)

Patches

3
695673eb5711
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
390a61d284e1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
98b6fa62c84f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.