CVE-2025-39726 in Linux
Summary
by MITRE • 09/05/2025
In the Linux kernel, the following vulnerability has been resolved:
s390/ism: fix concurrency management in ism_cmd()
The s390x ISM device data sheet clearly states that only one request-response sequence is allowable per ISM function at any point in time. Unfortunately as of today the s390/ism driver in Linux does not honor that requirement. This patch aims to rectify that.
This problem was discovered based on Aliaksei's bug report which states that for certain workloads the ISM functions end up entering error state (with PEC 2 as seen from the logs) after a while and as a consequence connections handled by the respective function break, and for future connection requests the ISM device is not considered -- given it is in a dysfunctional state. During further debugging PEC 3A was observed as well.
A kernel message like [ 1211.244319] zpci: 061a:00:00.0: Event 0x2 reports an error for PCI function 0x61a
is a reliable indicator of the stated function entering error state with PEC 2. Let me also point out that a kernel message like [ 1211.244325] zpci: 061a:00:00.0: The ism driver bound to the device does not support error recovery
is a reliable indicator that the ISM function won't be auto-recovered because the ISM driver currently lacks support for it.
On a technical level, without this synchronization, commands (inputs to the FW) may be partially or fully overwritten (corrupted) by another CPU trying to issue commands on the same function. There is hard evidence that this can lead to DMB token values being used as DMB IOVAs, leading to PEC 2 PCI events indicating invalid DMA. But this is only one of the failure modes imaginable. In theory even completely losing one command and executing another one twice and then trying to interpret the outputs as if the command we intended to execute was actually executed and not the other one is also possible. Frankly, I don't feel confident about providing an exhaustive list of possible consequences.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability CVE-2025-39726 affects the Linux kernel's s390/ism driver on IBM z Systems platforms, specifically addressing a critical concurrency management flaw in the ism_cmd() function. This issue stems from the driver's failure to properly enforce the hardware-imposed limitation that only one request-response sequence is permissible per ISM function at any given time. The s390x ISM device specification explicitly mandates this restriction, yet the kernel implementation lacks proper synchronization mechanisms to prevent concurrent command execution on the same function. The vulnerability manifests as a race condition where multiple CPU cores attempting to issue commands simultaneously can result in command corruption or overwrites, fundamentally undermining the reliability of the ISM device communication.
The technical flaw resides in the absence of proper locking mechanisms within the ism_cmd() function, creating a scenario where concurrent access to shared ISM function resources leads to unpredictable command execution outcomes. When multiple threads or CPU cores attempt to execute commands on the same ISM function simultaneously, the underlying firmware may receive corrupted command sequences or have commands partially overwritten. This concurrency violation directly violates the hardware's documented requirements and can result in severe operational consequences including DMA errors, invalid IOVA usage, and complete device malfunction. The specific error conditions observed include PEC 2 errors indicating invalid DMA operations and PEC 3A errors, both of which signal device-level failures in command processing. This vulnerability operates at the intersection of hardware constraints and software implementation, where the kernel fails to properly abstract the underlying hardware limitations, leading to a direct violation of the device's operational specifications.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially complete system instability and service disruption. When ISM functions enter error states due to command corruption, they become non-functional and must be manually reset or the entire device removed from service. The kernel logs clearly indicate this failure mode with messages such as "Event 0x2 reports an error for PCI function" and "The ism driver bound to the device does not support error recovery," which demonstrate both the hardware-level failure and the driver's inability to self-heal. This creates a cascading effect where connection handling breaks down completely, and subsequent connection requests are denied because the device is considered dysfunctional. The vulnerability is particularly concerning for high-throughput workloads that heavily utilize ISM functions, as the race conditions are more likely to manifest under concurrent stress conditions. From a cybersecurity perspective, this represents a potential denial-of-service vector that could be exploited to disrupt critical network services or data processing pipelines.
The resolution of this vulnerability requires implementing proper synchronization mechanisms within the ism_cmd() function to ensure exclusive access to ISM function resources during command execution. This typically involves introducing mutex locks or similar atomic synchronization primitives to prevent concurrent access to shared ISM function state. The fix must be carefully designed to maintain system responsiveness while ensuring hardware compliance. Organizations should prioritize applying this patch to systems running affected kernel versions, particularly those utilizing IBM z Systems with ISM devices for high-performance networking or storage operations. The vulnerability aligns with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and represents a classic example of how hardware constraints must be properly enforced at the software level. From an ATT&CK perspective, this vulnerability could be leveraged for denial-of-service attacks against network services or could potentially serve as a stepping stone for more sophisticated exploitation if combined with other vulnerabilities, making prompt remediation essential for maintaining system integrity and availability.