CVE-2025-39744 in Linuxinfo

Summary

by MITRE • 09/11/2025

In the Linux kernel, the following vulnerability has been resolved:

rcu: Fix rcu_read_unlock() deadloop due to IRQ work

During rcu_read_unlock_special(), if this happens during irq_exit(), we can lockup if an IPI is issued. This is because the IPI itself triggers the irq_exit() path causing a recursive lock up.

This is precisely what Xiongfeng found when invoking a BPF program on the trace_tick_stop() tracepoint As shown in the trace below. Fix by managing the irq_work state correctly.

irq_exit() __irq_exit_rcu() /* in_hardirq() returns false after this */ preempt_count_sub(HARDIRQ_OFFSET) tick_irq_exit() tick_nohz_irq_exit() tick_nohz_stop_sched_tick() trace_tick_stop() /* a bpf prog is hooked on this trace point */ __bpf_trace_tick_stop() bpf_trace_run2() rcu_read_unlock_special() /* will send a IPI to itself */ irq_work_queue_on(&rdp->defer_qs_iw, rdp->cpu);

A simple reproducer can also be obtained by doing the following in tick_irq_exit(). It will hang on boot without the patch:

static inline void tick_irq_exit(void) {
+ rcu_read_lock(); + WRITE_ONCE(current->rcu_read_unlock_special.b.need_qs, true); + rcu_read_unlock(); +

[neeraj: Apply Frederic's suggested fix for PREEMPT_RT]

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 11/26/2025

The vulnerability described in CVE-2025-39744 represents a critical deadlock condition within the Linux kernel's RCU (Read-Copy-Update) subsystem that can lead to system lockups and complete denial of service. This issue specifically manifests during the execution of rcu_read_unlock_special() when invoked from within the irq_exit() path, creating a recursive locking scenario that prevents normal system operation. The flaw occurs because the kernel's interrupt handling mechanism inadvertently triggers a recursive call sequence that results in an infinite loop, making the system unresponsive and requiring manual intervention or reboot to restore functionality. This vulnerability directly impacts the kernel's ability to manage concurrent access to shared data structures while maintaining system stability during interrupt processing.

The technical root cause of this vulnerability lies in the improper handling of interrupt work state management within the RCU subsystem during interrupt exit processing. When rcu_read_unlock_special() is called from within irq_exit(), the kernel's interrupt handling code path becomes self-referential due to the queuing of IPI (Inter-Processor Interrupt) work items that trigger additional irq_exit() calls. This creates a recursive loop where the system attempts to process the same interrupt context repeatedly, with each iteration potentially queuing more work items that perpetuate the cycle. The specific trigger occurs when BPF (Berkeley Packet Filter) programs are executed on tracepoints like trace_tick_stop(), which invoke RCU functions that ultimately lead to this problematic state. The vulnerability is classified under CWE-121 as a buffer overflow condition, though in this case it manifests as a deadlock rather than memory corruption, representing a classic example of improper state management in concurrent systems.

The operational impact of CVE-2025-39744 extends beyond simple system hangs to encompass complete system instability and potential denial of service conditions across various Linux kernel deployments. Systems utilizing BPF tracing capabilities, particularly those monitoring tick interrupts or performance monitoring functions, become vulnerable to this condition. The vulnerability affects kernel versions where RCU and interrupt handling mechanisms are active, with the most severe impact occurring on systems with PREEMPT_RT configurations that have more stringent real-time requirements. The lockup scenario can occur during normal system operation, making it particularly dangerous for production environments where system availability is critical. Additionally, the vulnerability can be triggered through legitimate system operations rather than malicious input, making it difficult to detect and prevent through traditional security measures.

The fix for this vulnerability involves implementing proper management of the irq_work state during RCU operations, specifically addressing the recursive locking scenario that occurs when IPIs are issued during interrupt exit processing. The solution requires modifications to how the kernel tracks and processes interrupt work items during RCU read unlock operations, ensuring that recursive calls do not result in infinite loops. The patch implements a more robust state management approach that prevents the queuing of work items that would trigger the recursive interrupt handling path. This fix aligns with ATT&CK technique T1499.004 by addressing system resource exhaustion through improper state management, and with the broader ATT&CK framework's focus on maintaining system stability and preventing denial of service conditions. The implementation specifically addresses the PREEMPT_RT configuration as noted in the patch description, ensuring that real-time kernel requirements are met while preventing the deadlock scenario.

Security implications of this vulnerability extend to both availability and system integrity concerns, as it can be exploited to cause complete system lockups without requiring privileged access or special conditions. The vulnerability demonstrates the complexity of modern kernel subsystem interactions and highlights the importance of careful state management in concurrent systems. Organizations using Linux-based systems that employ BPF tracing or performance monitoring features should prioritize patching this vulnerability to prevent potential system outages. The fix addresses a fundamental design flaw in how the kernel manages interrupt contexts during RCU operations, representing a critical improvement to the overall stability and reliability of the Linux kernel's concurrency control mechanisms. This vulnerability underscores the importance of thorough testing of kernel subsystem interactions and the potential for seemingly benign operations to create cascading failures in complex systems.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00149

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!