{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39841","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.141Z","datePublished":"2025-09-19T15:26:16.349Z","dateUpdated":"2026-05-12T12:07:28.917Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:37:28.843Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix buffer free/clear order in deferred receive path\n\nFix a use-after-free window by correcting the buffer release sequence in\nthe deferred receive path. The code freed the RQ buffer first and only\nthen cleared the context pointer under the lock. Concurrent paths (e.g.,\nABTS and the repost path) also inspect and release the same pointer under\nthe lock, so the old order could lead to double-free/UAF.\n\nNote that the repost path already uses the correct pattern: detach the\npointer under the lock, then free it after dropping the lock. The\ndeferred path should do the same."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/scsi/lpfc/lpfc_nvmet.c"],"versions":[{"version":"472e146d1cf3410a898b49834500fa9e33ac41a2","lessThan":"ab34084f42ee06a9028d67c78feafb911d33d111","status":"affected","versionType":"git"},{"version":"472e146d1cf3410a898b49834500fa9e33ac41a2","lessThan":"baa39f6ad79d372a6ce0aa639fbb2f1578479f57","status":"affected","versionType":"git"},{"version":"472e146d1cf3410a898b49834500fa9e33ac41a2","lessThan":"95b63d15fce5c54a73bbf195e1aacb5a75b128e2","status":"affected","versionType":"git"},{"version":"472e146d1cf3410a898b49834500fa9e33ac41a2","lessThan":"55658c7501467ca9ef3bd4453dd920010db8bc13","status":"affected","versionType":"git"},{"version":"472e146d1cf3410a898b49834500fa9e33ac41a2","lessThan":"d96cc9a1b57725930c60b607423759d563b4d900","status":"affected","versionType":"git"},{"version":"472e146d1cf3410a898b49834500fa9e33ac41a2","lessThan":"367cb5ffd8a8a4c85dc89f55e7fa7cc191425b11","status":"affected","versionType":"git"},{"version":"472e146d1cf3410a898b49834500fa9e33ac41a2","lessThan":"897f64b01c1249ac730329b83f4f40bab71e86c7","status":"affected","versionType":"git"},{"version":"472e146d1cf3410a898b49834500fa9e33ac41a2","lessThan":"9dba9a45c348e8460da97c450cddf70b2056deb3","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/scsi/lpfc/lpfc_nvmet.c"],"versions":[{"version":"5.1","status":"affected"},{"version":"0","lessThan":"5.1","status":"unaffected","versionType":"semver"},{"version":"5.4.299","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.243","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.192","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.151","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.105","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.46","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.6","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"5.4.299"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"5.10.243"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"5.15.192"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.1.151"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.6.105"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.12.46"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.16.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ab34084f42ee06a9028d67c78feafb911d33d111"},{"url":"https://git.kernel.org/stable/c/baa39f6ad79d372a6ce0aa639fbb2f1578479f57"},{"url":"https://git.kernel.org/stable/c/95b63d15fce5c54a73bbf195e1aacb5a75b128e2"},{"url":"https://git.kernel.org/stable/c/55658c7501467ca9ef3bd4453dd920010db8bc13"},{"url":"https://git.kernel.org/stable/c/d96cc9a1b57725930c60b607423759d563b4d900"},{"url":"https://git.kernel.org/stable/c/367cb5ffd8a8a4c85dc89f55e7fa7cc191425b11"},{"url":"https://git.kernel.org/stable/c/897f64b01c1249ac730329b83f4f40bab71e86c7"},{"url":"https://git.kernel.org/stable/c/9dba9a45c348e8460da97c450cddf70b2056deb3"}],"title":"scsi: lpfc: Fix buffer free/clear order in deferred receive path","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:43:56.756Z"}},{"x_adpType":"supplier","providerMetadata":{"orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP","dateUpdated":"2026-05-12T12:07:28.917Z"},"affected":[{"vendor":"Siemens","product":"RUGGEDCOM RST2428P","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XCH328","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XCM324","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XCM328","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XCM332","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XRH334 (24 V DC, 8xFO, CC)","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XRM334 (230 V AC, 12xFO)","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XRM334 (230 V AC, 8xFO)","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+)","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XRM334 (24 V DC, 12xFO)","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XRM334 (24 V DC, 8xFO)","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+)","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XRM334 (2x230 V AC, 12xFO)","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XRM334 (2x230 V AC, 8xFO)","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+)","versions":[{"status":"affected","version":"0","lessThan":"V3.3","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SIMATIC CN 4100","versions":[{"status":"affected","version":"0","lessThan":"V5.0","versionType":"custom"}],"defaultStatus":"unknown"}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-089022.html"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-032379.html"}]}]}}