ppp: fix race conditions in ppp_fill_forward_path
Summary
| CVE | CVE-2025-39673 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-09-05 18:15:43 UTC |
| Updated | 2026-05-12 13:17:03 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp_fill_forward_path ppp_fill_forward_path() has two race conditions: 1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_entry() may access an empty head or a freed entry, and trigger a panic. 2. pch->chan can be NULL. When ppp_unregister_channel() is called, pch->chan is set to NULL before pch is removed from ppp->channels. Fix these by using a lockless RCU approach: - Use list_first_or_null_rcu() to safely test and access the first list entry. - Convert list modifications on ppp->channels to their RCU variants and add synchronize_net() after removal. - Check for a NULL pch->chan before dereferencing it. |
Risk And Classification
Primary CVSS: v3.1 4.7 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-362
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
HighPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected f6efc675c9dd8d93f826b79ae7e33e03301db609 9a1969fbffc1f1900d92d7594b1b7d8d72ef3dc7 git | Not specified |
| CNA | Linux | Linux | affected f6efc675c9dd8d93f826b79ae7e33e03301db609 0f1630be6fcca3f0c63e4b242ad202e5cde28a40 git | Not specified |
| CNA | Linux | Linux | affected f6efc675c9dd8d93f826b79ae7e33e03301db609 ca18d751bcc9faf5b7e82e9fae1223d103928181 git | Not specified |
| CNA | Linux | Linux | affected f6efc675c9dd8d93f826b79ae7e33e03301db609 94731cc551e29511d85aa8dec61a6c071b1f2430 git | Not specified |
| CNA | Linux | Linux | affected f6efc675c9dd8d93f826b79ae7e33e03301db609 f97f6475fdcb3c28ff3c55cc4b7bde632119ec08 git | Not specified |
| CNA | Linux | Linux | affected f6efc675c9dd8d93f826b79ae7e33e03301db609 0417adf367a0af11adf7ace849af4638cfb573f7 git | Not specified |
| CNA | Linux | Linux | affected 5.13 | Not specified |
| CNA | Linux | Linux | unaffected 5.13 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.190 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.149 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.103 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.44 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.16.4 6.16.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.17 * original_commit_for_fix | Not specified |
| ADP | Siemens | SIMATIC CN 4100 | affected V5.0 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/ca18d751bcc9faf5b7e82e9fae1223d103928181 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| lists.debian.org/debian-lts-announce/2025/10/msg00008.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Third Party Advisory |
| git.kernel.org/stable/c/0f1630be6fcca3f0c63e4b242ad202e5cde28a40 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| cert-portal.siemens.com/productcert/html/ssa-032379.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/9a1969fbffc1f1900d92d7594b1b7d8d72ef3dc7 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/0417adf367a0af11adf7ace849af4638cfb573f7 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/94731cc551e29511d85aa8dec61a6c071b1f2430 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/f97f6475fdcb3c28ff3c55cc4b7bde632119ec08 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.