CVE-2025-39723 – A Linux kernel vulnerability in the netfs subsy... (How to Fix)

Q: What is the severity of CVE-2025-39723?

CVE-2025-39723 has a CVSS score of 7.8 (HIGH). A Linux kernel vulnerability in the netfs subsystem's unbuffered write error handling can cause kernel NULL pointer dereferences when all subrequests in a write stream fail. This leads to kernel crashes (oops/panics) when applications use splice operations with failing writes. Systems running vulnerable Linux kernel versions with netfs filesystems (like CIFS/SMB) are affected.

📋 TL;DR

A Linux kernel vulnerability in the netfs subsystem's unbuffered write error handling can cause kernel NULL pointer dereferences when all subrequests in a write stream fail. This leads to kernel crashes (oops/panics) when applications use splice operations with failing writes. Systems running vulnerable Linux kernel versions with netfs filesystems (like CIFS/SMB) are affected.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions containing the vulnerable netfs code (specific range depends on distribution backports)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Requires specific configuration: using netfs-backed filesystems (like CIFS/SMB) with cache=none and applications using splice operations. Generic/750 xfstest triggers it.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially causing data loss or corruption.

🟠

Likely Case

System crash or instability when applications perform splice operations that encounter write failures, particularly with CIFS mounts and cache=none configuration.

🟢

If Mitigated

Minor performance impact from the fix's additional checks, with stable system operation.

🌐 Internet-Facing: MEDIUM - Requires specific conditions (CIFS mounts with cache=none and splice operations) but could be triggered remotely via network filesystem operations.

🏢 Internal Only: MEDIUM - Same technical requirements but limited to internal systems using affected configurations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires specific filesystem configuration and application behavior. Found via fuzzing/xfstest rather than real-world attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel commits: 387164a2b97e1f5404c6d0049a7409bac7d2bc5b, a3de58b12ce074ec05b8741fa28d62ccb1070468, f08c80af3c9a9849cd178b4843b7c01d103506a1

Vendor Advisory: https://git.kernel.org/stable/c/387164a2b97e1f5404c6d0049a7409bac7d2bc5b

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix. 2. Check distribution security advisories for backported patches. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Avoid cache=none on CIFS mounts

linux

Use default caching or other cache modes on CIFS/SMB mounts to prevent triggering the vulnerability.

mount -t cifs //server/share /mnt -o username=user,password=pass (avoid cache=none option)

Disable splice operations for affected applications

linux

Configure applications to avoid using splice() system calls with network filesystems.

🧯 If You Can't Patch

Monitor system logs for 'BUG: kernel NULL pointer dereference' or 'CIFS: VFS: Send error in write = -28' messages
Implement strict access controls on CIFS mounts and limit splice operations to trusted applications

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if using CIFS with cache=none: 'uname -r' and review /proc/mounts for cache=none options

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits or check distribution security advisory. Test with generic/750 xfstest.

📡 Detection & Monitoring

Log Indicators:

CIFS: VFS: Send error in write = -28
BUG: kernel NULL pointer dereference
RIP: iter_file_splice_write
pipe_buf_release errors

Network Indicators:

Increased CIFS/SMB write errors followed by system instability

SIEM Query:

kernel:('NULL pointer dereference' AND 'iter_file_splice_write') OR cifs:('Send error in write = -28')

📊 Metadata

CVE ID: CVE-2025-39723

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 0.01% exploit probability (1.7th percentile)

Published: September 5, 2025

Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-39723, you might also want to check these: