CVE-2025-39745 in Linux
Summary
by MITRE • 09/11/2025
In the Linux kernel, the following vulnerability has been resolved:
rcutorture: Fix rcutorture_one_extend_check() splat in RT kernels
For built with CONFIG_PREEMPT_RT=y kernels, running rcutorture tests resulted in the following splat:
[ 68.797425] rcutorture_one_extend_check during change: Current 0x1 To add 0x1 To remove 0x0 preempt_count() 0x0
[ 68.797533] WARNING: CPU: 2 PID: 512 at kernel/rcu/rcutorture.c:1993 rcutorture_one_extend_check+0x419/0x560 [rcutorture]
[ 68.797601] Call Trace:
[ 68.797602] <TASK>
[ 68.797619] ? lockdep_softirqs_off+0xa5/0x160
[ 68.797631] rcutorture_one_extend+0x18e/0xcc0 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c]
[ 68.797646] ? local_clock+0x19/0x40
[ 68.797659] rcu_torture_one_read+0xf0/0x280 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c]
[ 68.797678] ? __pfx_rcu_torture_one_read+0x10/0x10 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c]
[ 68.797804] ? __pfx_rcu_torture_timer+0x10/0x10 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c]
[ 68.797815] rcu-torture: rcu_torture_reader task started
[ 68.797824] rcu-torture: Creating rcu_torture_reader task
[ 68.797824] rcu_torture_reader+0x238/0x580 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c]
[ 68.797836] ? kvm_sched_clock_read+0x15/0x30
Disable BH does not change the SOFTIRQ corresponding bits in preempt_count() for RT kernels, this commit therefore use softirq_count() to check the if BH is disabled.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/26/2025
The vulnerability CVE-2025-39745 addresses a critical issue within the Linux kernel's rcutorture subsystem that specifically impacts real-time kernel configurations. This flaw manifests during the execution of rcutorture tests on kernels built with CONFIG_PREEMPT_RT=y, which enables real-time scheduling capabilities. The rcutorture framework serves as a comprehensive stress testing tool designed to validate the correctness and robustness of RCU (Read-Copy-Update) mechanisms under various concurrent access scenarios. When running these tests on real-time kernels, the system generates a kernel splat indicating a warning at kernel/rcu/rcutorture.c line 1993 within the rcutorture_one_extend_check function, demonstrating a failure in the kernel's internal consistency checking mechanisms.
The technical root cause of this vulnerability stems from an incorrect assumption about how kernel preemption and interrupt handling work in real-time environments. In standard Linux kernels, the disable_bh() function effectively modifies the preempt_count() value to indicate that bottom half processing is disabled. However, in real-time kernels with CONFIG_PREEMPT_RT=y, the behavior differs significantly because the disable_bh() operation does not modify the SOFTIRQ bits within preempt_count(). This discrepancy creates a mismatch between the expected and actual kernel state, leading to false positives in the rcutorture_one_extend_check() function that validates RCU grace period extensions. The function incorrectly interprets the kernel state, triggering a warning condition that indicates an apparent inconsistency in the RCU subsystem's operation.
The operational impact of this vulnerability is particularly severe in real-time computing environments where kernel stability and predictability are paramount. Systems utilizing real-time Linux configurations for critical applications such as industrial control systems, automotive electronics, or telecommunications infrastructure may experience unexpected kernel warnings and potential instability during RCU stress testing. While the immediate effect appears to be a kernel warning rather than a system crash, the underlying issue suggests a fundamental misalignment in how kernel subsystems interact with real-time scheduling policies. This misalignment could potentially lead to more serious consequences including degraded system performance, incorrect RCU behavior, or in extreme cases, system instability during high-concurrency scenarios. The vulnerability particularly affects testing and development environments where rcutorture is used to validate kernel correctness under stress conditions.
The mitigation implemented in this fix specifically addresses the discrepancy between standard and real-time kernel behaviors by modifying the rcutorture_one_extend_check() function to use softirq_count() instead of relying on preempt_count() for determining whether bottom half processing is disabled. This change ensures that the function correctly identifies the actual interrupt handling state regardless of whether the kernel is running in standard or real-time mode. This approach aligns with the broader principles of kernel development that require careful consideration of different kernel configurations and their varying behavioral characteristics. The fix demonstrates the importance of configuration-aware programming practices in kernel development, where functions must properly account for different kernel build options and their associated behavioral differences. From a security perspective, while this vulnerability does not directly expose a privilege escalation path or direct attack surface, it represents a potential stability risk that could be exploited in resource exhaustion scenarios or combined with other vulnerabilities to create more significant impacts. The vulnerability classification aligns with CWE-691, which covers inadequate protection of code against excessive resource consumption, and relates to ATT&CK technique T1499.001, which involves resource exhaustion through kernel manipulation.