VYPR
← All advisories
High severity7.8NVD Advisory· Published Sep 19, 2025· Updated May 12, 2026

CVE-2025-39866

CVE-2025-39866

Description

In the Linux kernel, the following vulnerability has been resolved:

fs: writeback: fix use-after-free in __mark_inode_dirty()

An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching.

CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mark_inode_dirty+0x124/0x418 lr : __mark_inode_dirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: __mark_inode_dirty+0x124/0x418 generic_update_time+0x4c/0x60 file_modified+0xcc/0xd0 ext4_buffered_write_iter+0x58/0x124 ext4_file_write_iter+0x54/0x704 vfs_write+0x1c0/0x308 ksys_write+0x74/0x10c __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x40/0xe4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x194/0x198

Root cause is:

systemd-random-seed kworker ---------------------------------------------------------------------- ___mark_inode_dirty inode_switch_wbs_work_fn

spin_lock(&inode->i_lock); inode_attach_wb locked_inode_to_wb_and_lock_list get inode->i_wb spin_unlock(&inode->i_lock); spin_lock(&wb->list_lock) spin_lock(&inode->i_lock) inode_io_list_move_locked spin_unlock(&wb->list_lock) spin_unlock(&inode->i_lock) spin_lock(&old_wb->list_lock) inode_do_switch_wbs spin_lock(&inode->i_lock) inode->i_wb = new_wb spin_unlock(&inode->i_lock) spin_unlock(&old_wb->list_lock) wb_put_many(old_wb, nr_switched) cgwb_release old wb released wb_wakeup_delayed() accesses wb, then trigger the use-after-free issue

Fix this race condition by holding inode spinlock until wb_wakeup_delayed() finished.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in Linux kernel writeback due to race condition in __mark_inode_dirty, potentially leading to local privilege escalation.

Vulnerability

A use-after-free vulnerability exists in the Linux kernel's writeback subsystem within the __mark_inode_dirty() function. The root cause is a race condition where a concurrent inode_switch_wbs_work_fn() worker can release the old bdi_writeback (wb) structure while __mark_inode_dirty() still holds a reference to it. This occurs because the inode's wb is switched without proper synchronization between the two code paths, leading to a dangling pointer and subsequent use-after-free when the delayed wb wakeup is performed [1].

Exploitation

Exploitation requires local access to the system and the ability to trigger file write operations (e.g., via a write system call) while a writeback switching operation is in progress. This race condition can be deliberately provoked by an unprivileged attacker to corrupt kernel memory. No special privileges beyond the ability to write to files are needed, making the attack surface broad in multi-user or container environments.

Impact

A successful exploit can lead to use-after-free, which may corrupt kernel memory and potentially allow an attacker to escalate privileges to root, execute arbitrary code, or cause a denial of service (system crash). The CVSSv3 score of 7.8 (High) reflects the high impact on confidentiality, integrity, and availability.

Mitigation

The vulnerability is fixed in Linux kernel stable releases as of commits [2] and [3]. Users should update to a kernel version containing the fix. Workarounds are not readily available; ensuring timely kernel updates is essential. The vulnerability is not known to be exploited in the wild as of publication.

References
  1. SSA-032379
  2. SSA-082556
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

10

News mentions

1