VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 12, 2025· Updated Apr 15, 2026

CVE-2025-40142

CVE-2025-40142

Description

In the Linux kernel, the following vulnerability has been resolved:

ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT

snd_pcm_group_lock_irq() acquires a spinlock_t and disables interrupts via spin_lock_irq(). This also implicitly disables the handling of softirqs such as TIMER_SOFTIRQ. On PREEMPT_RT softirqs are preemptible and spin_lock_irq() does not disable them. That means a timer can be invoked during spin_lock_irq() on the same CPU. Due to synchronisations reasons local_bh_disable() has a per-CPU lock named softirq_ctrl.lock which synchronizes individual softirq against each other. syz-bot managed to trigger a lockdep report where softirq_ctrl.lock is acquired in hrtimer_cancel() in addition to hrtimer_run_softirq(). This is a possible deadlock.

The softirq_ctrl.lock can not be made part of spin_lock_irq() as this would lead to too much synchronisation against individual threads on the system. To avoid the possible deadlock, softirqs must be manually disabled before the lock is acquired.

Disable softirqs before the lock is acquired on PREEMPT_RT.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's ALSA PCM, on PREEMPT_RT, spin_lock_irq() does not disable softirqs, leading to a potential deadlock; fixed by manually disabling softirqs.

Root

Cause In the Linux kernel's ALSA PCM subsystem, the function snd_pcm_group_lock_irq() uses spin_lock_irq() to acquire a spinlock and disable interrupts. On PREEMPT_RT, spin_lock_irq() does not disable softirqs, which remain preemptible. This allows a timer softirq (e.g., TIMER_SOFTIRQ) to run concurrently on the same CPU, potentially leading to a deadlock due to the per-CPU lock softirq_ctrl.lock being acquired in both hrtimer_cancel() and hrtimer_run_softirq() [1].

Exploitation

The attack surface requires the ability to trigger a timer callback while the PCM group lock is held. On PREEMPT_RT, this can occur naturally via hrtimer operations. No specific prerequisites beyond having a system running a PREEMPT_RT kernel are needed; the deadlock can be triggered by normal timer usage.

Impact

If the deadlock occurs, it results in a kernel lockup or denial of service. The vulnerability does not allow arbitrary code execution or privilege escalation, as it is a locking issue.

Mitigation

The vulnerability is fixed by manually disabling softirqs with local_bh_disable() before acquiring the lock on PREEMPT_RT [2]. The fix was committed to the Linux kernel stable tree. Users are advised to update to a patched kernel version.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

3
63ee96c7f47d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
3969b6193cb7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
9fc4a3da9a02
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.