CVE-2025-39749 – This is a data race vulnerability in the Linux ... (How to Fix)

Q: What is the severity of CVE-2025-39749?

CVE-2025-39749 has a CVSS score of 7.0 (HIGH). This is a data race vulnerability in the Linux kernel's RCU (Read-Copy Update) subsystem where concurrent access to the ->defer_qs_iw_pending field could cause undefined behavior. It affects Linux systems with CONFIG_IRQ_WORK=y enabled, potentially leading to kernel instability or crashes. The vulnerability requires local access to exploit.

📋 TL;DR

This is a data race vulnerability in the Linux kernel's RCU (Read-Copy Update) subsystem where concurrent access to the ->defer_qs_iw_pending field could cause undefined behavior. It affects Linux systems with CONFIG_IRQ_WORK=y enabled, potentially leading to kernel instability or crashes. The vulnerability requires local access to exploit.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions not explicitly stated in CVE, but patches available for stable kernel branches

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires CONFIG_IRQ_WORK=y kernel configuration. More vulnerable when booted with rcutree.use_softirq=y parameter.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic or system crash leading to denial of service

🟠

Likely Case

System instability, kernel oops, or performance degradation

🟢

If Mitigated

Minimal impact with proper kernel hardening and access controls

🌐 Internet-Facing: LOW - Requires local access to exploit

🏢 Internal Only: MEDIUM - Local users or processes could trigger the race condition

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH - Requires precise timing to trigger data race

Exploitation requires local access and ability to trigger specific RCU read-side critical section patterns

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in kernel commits: 0ad84d62217488e679ecc90e8628980dcc003de3, 55e11f6776798b27cf09a7aa0d718415d4fc9cf5, 74f58f382a7c8333f8d09701aefaa25913bdbe0e, 90c09d57caeca94e6f3f87c49e96a91edd40cbfd, 90de9c94ea72327cfa9c2c9f6113c23a513af60b

Vendor Advisory: https://git.kernel.org/stable/c/0ad84d62217488e679ecc90e8628980dcc003de3

Restart Required: Yes

Instructions:

1. Update to a patched kernel version from your distribution's repositories. 2. Reboot the system to load the new kernel. 3. Verify the kernel version matches the patched release.

🔧 Temporary Workarounds

Disable IRQ work configuration

linux

Rebuild kernel without CONFIG_IRQ_WORK=y, but this may impact performance and functionality

Not applicable - requires kernel reconfiguration and rebuild

🧯 If You Can't Patch

Restrict local user access and limit process privileges
Implement kernel hardening measures like SELinux/AppArmor to limit impact scope

🔍 How to Verify

Check if Vulnerable:

Check kernel version and configuration: grep CONFIG_IRQ_WORK /boot/config-$(uname -r) && uname -r

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched and check for the specific commit hash in kernel source

📡 Detection & Monitoring

Log Indicators:

Kernel oops messages
KCSAN data race warnings in dmesg
System crash/panic logs

Network Indicators:

None - local vulnerability only

SIEM Query:

source="kernel" AND ("KCSAN" OR "data-race" OR "BUG:" OR "Oops:")

📊 Metadata

CVE ID: CVE-2025-39749

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score: 0.01% exploit probability (1th percentile)

Published: September 11, 2025

Last Updated: January 9, 2026

🔗 References

https://git.kernel.org/stable/c/0ad84d62217488e679ecc90e8628980dcc003de3 Patch
https://git.kernel.org/stable/c/55e11f6776798b27cf09a7aa0d718415d4fc9cf5 Patch
https://git.kernel.org/stable/c/74f58f382a7c8333f8d09701aefaa25913bdbe0e Patch
https://git.kernel.org/stable/c/90c09d57caeca94e6f3f87c49e96a91edd40cbfd Patch
https://git.kernel.org/stable/c/90de9c94ea72327cfa9c2c9f6113c23a513af60b Patch
https://git.kernel.org/stable/c/b55947b725f190396f475d5d0c59aa855a4d8895 Patch
https://git.kernel.org/stable/c/b5de8d80b5d049f051b95d9b1ee50ae4ab656124 Patch
https://git.kernel.org/stable/c/e35e711c78c8a4c43330c0dcb1c4d507a19c20f4 Patch
https://git.kernel.org/stable/c/f937759c7432d6151b73e1393b6517661813d506 Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory,Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory,Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON