{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39698","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.115Z","datePublished":"2025-09-05T17:21:04.360Z","dateUpdated":"2026-05-11T21:34:31.915Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:34:31.915Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/futex: ensure io_futex_wait() cleans up properly on failure\n\nThe io_futex_data is allocated upfront and assigned to the io_kiocb\nasync_data field, but the request isn't marked with REQ_F_ASYNC_DATA\nat that point. Those two should always go together, as the flag tells\nio_uring whether the field is valid or not.\n\nAdditionally, on failure cleanup, the futex handler frees the data but\ndoes not clear ->async_data. Clear the data and the flag in the error\npath as well.\n\nThanks to Trend Micro Zero Day Initiative and particularly ReDress for\nreporting this."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["io_uring/futex.c"],"versions":[{"version":"194bb58c6090e39bd7d9b9c888a079213628e1f6","lessThan":"d9f93172820a53ab42c4b0e5e65291f4f9d00ad2","status":"affected","versionType":"git"},{"version":"194bb58c6090e39bd7d9b9c888a079213628e1f6","lessThan":"d34c04152df517c59979b4bf2a47f491e06d3256","status":"affected","versionType":"git"},{"version":"194bb58c6090e39bd7d9b9c888a079213628e1f6","lessThan":"508c1314b342b78591f51c4b5dadee31a88335df","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["io_uring/futex.c"],"versions":[{"version":"6.7","status":"affected"},{"version":"0","lessThan":"6.7","status":"unaffected","versionType":"semver"},{"version":"6.12.44","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.4","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.44"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.16.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d9f93172820a53ab42c4b0e5e65291f4f9d00ad2"},{"url":"https://git.kernel.org/stable/c/d34c04152df517c59979b4bf2a47f491e06d3256"},{"url":"https://git.kernel.org/stable/c/508c1314b342b78591f51c4b5dadee31a88335df"},{"url":"https://www.zerodayinitiative.com/advisories/ZDI-25-915/"}],"title":"io_uring/futex: ensure io_futex_wait() cleans up properly on failure","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"CHANGED","version":"3.1","baseScore":8.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2025-39698","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-09-26T03:55:13.138774Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-672","description":"CWE-672 Operation on a Resource after Expiration or Release"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T17:49:11.880Z"}}]}}