{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39841", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.141Z", "datePublished": "2025-09-19T15:26:16.349Z", "dateUpdated": "2025-09-29T06:00:48.116Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-29T06:00:48.116Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix buffer free/clear order in deferred receive path\n\nFix a use-after-free window by correcting the buffer release sequence in\nthe deferred receive path. The code freed the RQ buffer first and only\nthen cleared the context pointer under the lock. Concurrent paths (e.g.,\nABTS and the repost path) also inspect and release the same pointer under\nthe lock, so the old order could lead to double-free/UAF.\n\nNote that the repost path already uses the correct pattern: detach the\npointer under the lock, then free it after dropping the lock. The\ndeferred path should do the same."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/lpfc/lpfc_nvmet.c"], "versions": [{"version": "472e146d1cf3410a898b49834500fa9e33ac41a2", "lessThan": "ab34084f42ee06a9028d67c78feafb911d33d111", "status": "affected", "versionType": "git"}, {"version": "472e146d1cf3410a898b49834500fa9e33ac41a2", "lessThan": "baa39f6ad79d372a6ce0aa639fbb2f1578479f57", "status": "affected", "versionType": "git"}, {"version": "472e146d1cf3410a898b49834500fa9e33ac41a2", "lessThan": "95b63d15fce5c54a73bbf195e1aacb5a75b128e2", "status": "affected", "versionType": "git"}, {"version": "472e146d1cf3410a898b49834500fa9e33ac41a2", "lessThan": "55658c7501467ca9ef3bd4453dd920010db8bc13", "status": "affected", "versionType": "git"}, {"version": "472e146d1cf3410a898b49834500fa9e33ac41a2", "lessThan": "d96cc9a1b57725930c60b607423759d563b4d900", "status": "affected", "versionType": "git"}, {"version": "472e146d1cf3410a898b49834500fa9e33ac41a2", "lessThan": "367cb5ffd8a8a4c85dc89f55e7fa7cc191425b11", "status": "affected", "versionType": "git"}, {"version": "472e146d1cf3410a898b49834500fa9e33ac41a2", "lessThan": "897f64b01c1249ac730329b83f4f40bab71e86c7", "status": "affected", "versionType": "git"}, {"version": "472e146d1cf3410a898b49834500fa9e33ac41a2", "lessThan": "9dba9a45c348e8460da97c450cddf70b2056deb3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/lpfc/lpfc_nvmet.c"], "versions": [{"version": "5.1", "status": "affected"}, {"version": "0", "lessThan": "5.1", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.299", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.243", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.192", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.151", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.105", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.46", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.6", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "5.4.299"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "5.10.243"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "5.15.192"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "6.1.151"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "6.6.105"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "6.12.46"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "6.16.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "6.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ab34084f42ee06a9028d67c78feafb911d33d111"}, {"url": "https://git.kernel.org/stable/c/baa39f6ad79d372a6ce0aa639fbb2f1578479f57"}, {"url": "https://git.kernel.org/stable/c/95b63d15fce5c54a73bbf195e1aacb5a75b128e2"}, {"url": "https://git.kernel.org/stable/c/55658c7501467ca9ef3bd4453dd920010db8bc13"}, {"url": "https://git.kernel.org/stable/c/d96cc9a1b57725930c60b607423759d563b4d900"}, {"url": "https://git.kernel.org/stable/c/367cb5ffd8a8a4c85dc89f55e7fa7cc191425b11"}, {"url": "https://git.kernel.org/stable/c/897f64b01c1249ac730329b83f4f40bab71e86c7"}, {"url": "https://git.kernel.org/stable/c/9dba9a45c348e8460da97c450cddf70b2056deb3"}], "title": "scsi: lpfc: Fix buffer free/clear order in deferred receive path", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix buffer free/clear order in deferred receive path\n\nFix a use-after-free window by correcting the buffer release sequence in\nthe deferred receive path. The code freed the RQ buffer first and only\nthen cleared the context pointer under the lock. Concurrent paths (e.g.,\nABTS and the repost path) also inspect and release the same pointer under\nthe lock, so the old order could lead to double-free/UAF.\n\nNote that the repost path already uses the correct pattern: detach the\npointer under the lock, then free it after dropping the lock. The\ndeferred path should do the same."}], "id": "CVE-2025-39841", "lastModified": "2025-09-22T21:23:01.543", "metrics": {}, "published": "2025-09-19T16:15:42.813", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/367cb5ffd8a8a4c85dc89f55e7fa7cc191425b11"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/55658c7501467ca9ef3bd4453dd920010db8bc13"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/897f64b01c1249ac730329b83f4f40bab71e86c7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/95b63d15fce5c54a73bbf195e1aacb5a75b128e2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9dba9a45c348e8460da97c450cddf70b2056deb3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ab34084f42ee06a9028d67c78feafb911d33d111"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/baa39f6ad79d372a6ce0aa639fbb2f1578479f57"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d96cc9a1b57725930c60b607423759d563b4d900"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: scsi: lpfc: Fix buffer free/clear order in deferred receive path", "id": "2396944", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396944"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-39841", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-09-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-39841\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39841\nhttps://lore.kernel.org/linux-cve-announce/2025091902-CVE-2025-39841-2c0f@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-09-22T09:59:56.764611+00:00", "updated": "2025-09-22T10:06:18.462134+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}