CVE-2025-39900

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-39900
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39900.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-39900
Downstream
Related
Published
2025-10-01T07:42:47Z
Modified
2025-10-22T16:38:32.620045Z
Summary
net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y
Details

In the Linux kernel, the following vulnerability has been resolved:

netsched: genestimator: fix esttimer() vs CONFIGPREEMPT_RT=y

syzbot reported a WARNING in est_timer() [1]

Problem here is that with CONFIGPREEMPTRT=y, timer callbacks can be preempted.

Adopt preemptdisablenested()/preemptenablenested() to fix this.

[1] WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 seqpropassert include/linux/seqlock.h:221 [inline] WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 esttimer+0x6dc/0x9f0 net/core/genestimator.c:93 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Not tainted syzkaller #0 PREEMPT{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:seqpropassert include/linux/seqlock.h:221 [inline] RIP: 0010:esttimer+0x6dc/0x9f0 net/core/genestimator.c:93 Call Trace: <TASK> calltimerfn+0x17e/0x5f0 kernel/time/timer.c:1747 expiretimers kernel/time/timer.c:1798 [inline] _runtimers kernel/time/timer.c:2372 [inline] _runtimerbase+0x648/0x970 kernel/time/timer.c:2384 runtimerbase kernel/time/timer.c:2393 [inline] runtimersoftirq+0xb7/0x180 kernel/time/timer.c:2403 handlesoftirqs+0x22c/0x710 kernel/softirq.c:579 _dosoftirq kernel/softirq.c:613 [inline] runktimerd+0xcf/0x190 kernel/softirq.c:1043 smpbootthreadfn+0x53f/0xa60 kernel/smpboot.c:160 kthread+0x70e/0x8a0 kernel/kthread.c:463 retfromfork+0x3fc/0x770 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK>

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d2d6422f8bd17c6bb205133e290625a564194496
Fixed
a22ec2ee824be30803068a52f78f7ffe3bc879fb
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d2d6422f8bd17c6bb205133e290625a564194496
Fixed
e79923824c48b930609680be04cb29253fc4a17d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d2d6422f8bd17c6bb205133e290625a564194496
Fixed
9f74c0ea9b26d1505d55b61e36b1623dd347e1d1

Affected versions

v6.*

v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.45
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.16.1
v6.16.2
v6.16.3
v6.16.4
v6.16.5
v6.17-rc1
v6.17-rc2
v6.17-rc3

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.46
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.16.6