{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39749","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.125Z","datePublished":"2025-09-11T16:52:21.228Z","dateUpdated":"2026-05-12T12:06:44.240Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:35:32.172Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Protect ->defer_qs_iw_pending from data race\n\nOn kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is\ninvoked within an interrupts-disabled region of code [1], it will invoke\nrcu_read_unlock_special(), which uses an irq-work handler to force the\nsystem to notice when the RCU read-side critical section actually ends.\nThat end won't happen until interrupts are enabled at the soonest.\n\nIn some kernels, such as those booted with rcutree.use_softirq=y, the\nirq-work handler is used unconditionally.\n\nThe per-CPU rcu_data structure's ->defer_qs_iw_pending field is\nupdated by the irq-work handler and is both read and updated by\nrcu_read_unlock_special().  This resulted in the following KCSAN splat:\n\n------------------------------------------------------------------------\n\nBUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special\n\nread to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:\n rcu_read_unlock_special+0x175/0x260\n __rcu_read_unlock+0x92/0xa0\n rt_spin_unlock+0x9b/0xc0\n __local_bh_enable+0x10d/0x170\n __local_bh_enable_ip+0xfb/0x150\n rcu_do_batch+0x595/0xc40\n rcu_cpu_kthread+0x4e9/0x830\n smpboot_thread_fn+0x24d/0x3b0\n kthread+0x3bd/0x410\n ret_from_fork+0x35/0x40\n ret_from_fork_asm+0x1a/0x30\n\nwrite to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:\n rcu_preempt_deferred_qs_handler+0x1e/0x30\n irq_work_single+0xaf/0x160\n run_irq_workd+0x91/0xc0\n smpboot_thread_fn+0x24d/0x3b0\n kthread+0x3bd/0x410\n ret_from_fork+0x35/0x40\n ret_from_fork_asm+0x1a/0x30\n\nno locks held by irq_work/8/88.\nirq event stamp: 200272\nhardirqs last  enabled at (200272): [<ffffffffb0f56121>] finish_task_switch+0x131/0x320\nhardirqs last disabled at (200271): [<ffffffffb25c7859>] __schedule+0x129/0xd70\nsoftirqs last  enabled at (0): [<ffffffffb0ee093f>] copy_process+0x4df/0x1cc0\nsoftirqs last disabled at (0): [<0000000000000000>] 0x0\n\n------------------------------------------------------------------------\n\nThe problem is that irq-work handlers run with interrupts enabled, which\nmeans that rcu_preempt_deferred_qs_handler() could be interrupted,\nand that interrupt handler might contain an RCU read-side critical\nsection, which might invoke rcu_read_unlock_special().  In the strict\nKCSAN mode of operation used by RCU, this constitutes a data race on\nthe ->defer_qs_iw_pending field.\n\nThis commit therefore disables interrupts across the portion of the\nrcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending\nfield.  This suffices because this handler is not a fast path."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/rcu/tree_plugin.h"],"versions":[{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"74f58f382a7c8333f8d09701aefaa25913bdbe0e","status":"affected","versionType":"git"},{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"f937759c7432d6151b73e1393b6517661813d506","status":"affected","versionType":"git"},{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"0ad84d62217488e679ecc90e8628980dcc003de3","status":"affected","versionType":"git"},{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"b5de8d80b5d049f051b95d9b1ee50ae4ab656124","status":"affected","versionType":"git"},{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"b55947b725f190396f475d5d0c59aa855a4d8895","status":"affected","versionType":"git"},{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"e35e711c78c8a4c43330c0dcb1c4d507a19c20f4","status":"affected","versionType":"git"},{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"90de9c94ea72327cfa9c2c9f6113c23a513af60b","status":"affected","versionType":"git"},{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"55e11f6776798b27cf09a7aa0d718415d4fc9cf5","status":"affected","versionType":"git"},{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"90c09d57caeca94e6f3f87c49e96a91edd40cbfd","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/rcu/tree_plugin.h"],"versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","status":"unaffected","versionType":"semver"},{"version":"5.4.297","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.241","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.190","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.149","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.103","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.43","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.11","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16.2","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.4.297"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.10.241"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.15.190"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.1.149"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.6.103"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.12.43"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.15.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.16.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/74f58f382a7c8333f8d09701aefaa25913bdbe0e"},{"url":"https://git.kernel.org/stable/c/f937759c7432d6151b73e1393b6517661813d506"},{"url":"https://git.kernel.org/stable/c/0ad84d62217488e679ecc90e8628980dcc003de3"},{"url":"https://git.kernel.org/stable/c/b5de8d80b5d049f051b95d9b1ee50ae4ab656124"},{"url":"https://git.kernel.org/stable/c/b55947b725f190396f475d5d0c59aa855a4d8895"},{"url":"https://git.kernel.org/stable/c/e35e711c78c8a4c43330c0dcb1c4d507a19c20f4"},{"url":"https://git.kernel.org/stable/c/90de9c94ea72327cfa9c2c9f6113c23a513af60b"},{"url":"https://git.kernel.org/stable/c/55e11f6776798b27cf09a7aa0d718415d4fc9cf5"},{"url":"https://git.kernel.org/stable/c/90c09d57caeca94e6f3f87c49e96a91edd40cbfd"}],"title":"rcu: Protect ->defer_qs_iw_pending from data race","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:43:01.289Z"}},{"x_adpType":"supplier","providerMetadata":{"orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP","dateUpdated":"2026-05-12T12:06:44.240Z"},"affected":[{"vendor":"Siemens","product":"SIMATIC CN 4100","versions":[{"status":"affected","version":"0","lessThan":"V5.0","versionType":"custom"}],"defaultStatus":"unknown"}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-032379.html"}]}]}}