CVE-2025-39736 – This CVE describes a deadlock vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-39736?

CVE-2025-39736 has a CVSS score of 5.5 (MEDIUM). This CVE describes a deadlock vulnerability in the Linux kernel's kmemleak memory leak detector. When netpoll is enabled, a specific code path can cause the system to hang indefinitely due to lock inversion. This affects Linux systems with kmemleak enabled and netpoll/netconsole configured.

📋 TL;DR

This CVE describes a deadlock vulnerability in the Linux kernel's kmemleak memory leak detector. When netpoll is enabled, a specific code path can cause the system to hang indefinitely due to lock inversion. This affects Linux systems with kmemleak enabled and netpoll/netconsole configured.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions not explicitly stated in CVE, but patches are available in stable kernel trees

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Requires CONFIG_DEBUG_KMEMLEAK=y and netpoll/netconsole enabled. Most production systems have kmemleak disabled by default.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

System deadlock causing complete unresponsiveness, requiring hard reboot and potential data loss or corruption.

🟠

Likely Case

System hangs under specific conditions when kmemleak warnings are triggered with netpoll enabled, requiring manual intervention to recover.

🟢

If Mitigated

No impact if kmemleak is disabled or netpoll/netconsole is not configured.

🌐 Internet-Facing: LOW - This is a local kernel deadlock issue, not remotely exploitable for code execution or data access.

🏢 Internal Only: MEDIUM - Can cause system instability and downtime for affected configurations, but requires specific conditions to trigger.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires triggering kmemleak warnings while netpoll is active. This is a reliability/DoS issue, not a security bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees (see references for specific commits)

Vendor Advisory: https://git.kernel.org/stable/c/08f70be5e406ce47c822f2dd11c1170ca259605b

Restart Required: Yes

Instructions:

1. Update to a patched kernel version from your distribution vendor. 2. Reboot the system to load the new kernel. 3. Verify the fix by checking kernel version.

🔧 Temporary Workarounds

Disable kmemleak

all

Disable the kmemleak memory leak detector which is typically not needed in production environments

echo 0 > /sys/kernel/debug/kmemleak
Or boot with kmemleak=off kernel parameter

Disable netconsole/netpoll

all

Disable network console logging if not required

Remove netconsole parameters from kernel command line
Disable netpoll in network configuration

🧯 If You Can't Patch

Disable kmemleak via kernel command line parameter (kmemleak=off)
Ensure netconsole and netpoll are disabled in system configuration

🔍 How to Verify

Check if Vulnerable:

Check if kmemleak is enabled: cat /sys/kernel/debug/kmemleak 2>/dev/null || echo 'kmemleak not enabled'. Check kernel version against patched releases.

Check Version:

uname -r

Verify Fix Applied:

Verify running kernel version includes the fix commits or is from a patched release. Check that kmemleak warnings no longer cause deadlock with netpoll enabled.

📡 Detection & Monitoring

Log Indicators:

System hangs or becomes unresponsive
Kernel panic messages related to deadlock
kmemleak warning messages in dmesg

Network Indicators:

None - this is a local kernel issue

SIEM Query:

Search for: 'deadlock' OR 'kmemleak' OR 'netconsole' in kernel logs with system unresponsiveness indicators

📊 Metadata

CVE ID: CVE-2025-39736

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-667

EPSS Score: 0.01% exploit probability (0.6th percentile)

Published: September 11, 2025

Last Updated: January 9, 2026

🔗 References

https://git.kernel.org/stable/c/08f70be5e406ce47c822f2dd11c1170ca259605b Patch
https://git.kernel.org/stable/c/1da95d3d4b7b1d380ebd87b71a61e7e6aed3265d Patch
https://git.kernel.org/stable/c/47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 Patch
https://git.kernel.org/stable/c/4b0151e1d468eb2667c37b7af99b3c075072d334 Patch
https://git.kernel.org/stable/c/62879faa8efe8d8a9c7bf7606ee9c068012d7dac Patch
https://git.kernel.org/stable/c/a0854de00ce2ee27edf39037e7836ad580eb3350 Patch
https://git.kernel.org/stable/c/a181b228b37a6a5625dad2bb4265bb7abb673e9f Patch
https://git.kernel.org/stable/c/c7b6ea0ede687e7460e593c5ea478f50aa41682a Patch
https://git.kernel.org/stable/c/f249d32bb54876b4b6c3ae071af8ddca77af390b Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory,Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory,Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-39736, you might also want to check these: