ghsa-xxf9-fpw2-6hgc
Vulnerability from github
Published
2025-09-05 18:31
Modified
2025-09-05 18:31
Details

In the Linux kernel, the following vulnerability has been resolved:

ppp: fix race conditions in ppp_fill_forward_path

ppp_fill_forward_path() has two race conditions:

  1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_entry() may access an empty head or a freed entry, and trigger a panic.

  2. pch->chan can be NULL. When ppp_unregister_channel() is called, pch->chan is set to NULL before pch is removed from ppp->channels.

Fix these by using a lockless RCU approach: - Use list_first_or_null_rcu() to safely test and access the first list entry. - Convert list modifications on ppp->channels to their RCU variants and add synchronize_net() after removal. - Check for a NULL pch->chan before dereferencing it.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39673"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T18:15:43Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: fix race conditions in ppp_fill_forward_path\n\nppp_fill_forward_path() has two race conditions:\n\n1. The ppp-\u003echannels list can change between list_empty() and\n   list_first_entry(), as ppp_lock() is not held. If the only channel\n   is deleted in ppp_disconnect_channel(), list_first_entry() may\n   access an empty head or a freed entry, and trigger a panic.\n\n2. pch-\u003echan can be NULL. When ppp_unregister_channel() is called,\n   pch-\u003echan is set to NULL before pch is removed from ppp-\u003echannels.\n\nFix these by using a lockless RCU approach:\n- Use list_first_or_null_rcu() to safely test and access the first list\n  entry.\n- Convert list modifications on ppp-\u003echannels to their RCU variants and\n  add synchronize_net() after removal.\n- Check for a NULL pch-\u003echan before dereferencing it.",
  "id": "GHSA-xxf9-fpw2-6hgc",
  "modified": "2025-09-05T18:31:26Z",
  "published": "2025-09-05T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39673"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0417adf367a0af11adf7ace849af4638cfb573f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f1630be6fcca3f0c63e4b242ad202e5cde28a40"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/94731cc551e29511d85aa8dec61a6c071b1f2430"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a1969fbffc1f1900d92d7594b1b7d8d72ef3dc7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca18d751bcc9faf5b7e82e9fae1223d103928181"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f97f6475fdcb3c28ff3c55cc4b7bde632119ec08"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.