{ "threat_severity" : "Moderate", "public_date" : "2025-09-05T00:00:00Z", "bugzilla" : { "description" : "kernel: NFS: Fix a race when updating an existing write", "id" : "2393481", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2393481" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-362", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nNFS: Fix a race when updating an existing write\nAfter nfs_lock_and_join_requests() tests for whether the request is\nstill attached to the mapping, nothing prevents a call to\nnfs_inode_remove_request() from succeeding until we actually lock the\npage group.\nThe reason is that whoever called nfs_inode_remove_request() doesn't\nnecessarily have a lock on the page group head.\nSo in order to avoid races, let's take the page group lock earlier in\nnfs_lock_and_join_requests(), and hold it across the removal of the\nrequest in nfs_inode_remove_request().", "A flaw use after free in the Linux kernel NFS functionality was found in the way connected user sends malicious data to the server. A remote user could use this flaw to crash the system." ], "statement" : "A race condition in the NFS write path allowed a request to be removed after it was checked but before the page-group lock was taken. The fix acquires the page-group lock earlier and holds it across request removal, preventing use-after-state races. This can be triggered by a client with write access to an export and may lead to a kernel crash (remote DoS).\nThis race condition is difficult to trigger in practice, as it requires several conditions to align (concurrent write activity and timing), and there is no evidence of remote control over memory contents. Therefore the most likely outcome is a denial of service (Availability: High), with Confidentiality and Integrity unaffected.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-10-27T00:00:00Z", "advisory" : "RHSA-2025:19106", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "kernel-0:6.12.0-55.41.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21118", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.9.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21920", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.85.1.rt7.426.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21917", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.85.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23445", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.178.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-12-04T00:00:00Z", "advisory" : "RHSA-2025:22752", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.179.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-12-04T00:00:00Z", "advisory" : "RHSA-2025:22752", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.179.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22006", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.170.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22006", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.170.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22006", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.170.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:22998", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.122.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:22998", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.122.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-17T00:00:00Z", "advisory" : "RHSA-2025:21469", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.8.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-17T00:00:00Z", "advisory" : "RHSA-2025:21469", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.8.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21091", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.153.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21136", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.153.1.rt21.225.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21051", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.146.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21128", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.146.1.rt14.431.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-11-19T00:00:00Z", "advisory" : "RHSA-2025:21760", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.100.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-01-19T00:00:00Z", "advisory" : "RHSA-2026:0804", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.79.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-39697\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39697\nhttps://lore.kernel.org/linux-cve-announce/2025090548-CVE-2025-39697-5284@gregkh/T" ], "name" : "CVE-2025-39697", "mitigation" : { "value" : "To mitigate this issue, prevent module nfs from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.", "lang" : "en:us" }, "csaw" : false }