{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39941","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.148Z","datePublished":"2025-10-04T07:31:04.080Z","dateUpdated":"2026-05-11T21:39:23.137Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:39:23.137Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nzram: fix slot write race condition\n\nParallel concurrent writes to the same zram index result in leaked\nzsmalloc handles.  Schematically we can have something like this:\n\nCPU0                              CPU1\nzram_slot_lock()\nzs_free(handle)\nzram_slot_lock()\n\t\t\t\tzram_slot_lock()\n\t\t\t\tzs_free(handle)\n\t\t\t\tzram_slot_lock()\n\ncompress\t\t\tcompress\nhandle = zs_malloc()\t\thandle = zs_malloc()\nzram_slot_lock\nzram_set_handle(handle)\nzram_slot_lock\n\t\t\t\tzram_slot_lock\n\t\t\t\tzram_set_handle(handle)\n\t\t\t\tzram_slot_lock\n\nEither CPU0 or CPU1 zsmalloc handle will leak because zs_free() is done\ntoo early.  In fact, we need to reset zram entry right before we set its\nnew handle, all under the same slot lock scope."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/block/zram/zram_drv.c"],"versions":[{"version":"71268035f5d734ad6373d953298bd5779985497a","lessThan":"ff750e9f2c4d63854c33967d1646b5e89a9a19a2","status":"affected","versionType":"git"},{"version":"71268035f5d734ad6373d953298bd5779985497a","lessThan":"ce4be9e4307c5a60701ff6e0cafa74caffdc54ce","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/block/zram/zram_drv.c"],"versions":[{"version":"6.14","status":"affected"},{"version":"0","lessThan":"6.14","status":"unaffected","versionType":"semver"},{"version":"6.16.9","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.16.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ff750e9f2c4d63854c33967d1646b5e89a9a19a2"},{"url":"https://git.kernel.org/stable/c/ce4be9e4307c5a60701ff6e0cafa74caffdc54ce"}],"title":"zram: fix slot write race condition","x_generator":{"engine":"bippy-1.2.0"}}}}