CVE-2025-39905

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel contains a flaw in the networking subsystem related to phylink. The issue involves a potential race condition when serializing concurrent writes to

pl->phydev

with the resolver. Currently,

phylink resolve()

relies on

pl->state mutex

to protect against concurrent calls to

phylink bringup phy()

phylink disconnect phy()

that modify

pl->phydev

. However, a lock inversion exists where

pl->phydev->lock

needs to be acquired before

pl->state mutex

, which requires dereferencing

pl->phydev

without the protection of

pl->state mutex

. A new lock has been added to address this, though it is currently redundant, it will become functional when

mutex lock(&phy->lock)

is moved outside the

mutex lock(&pl->state mutex)

section. Using the

rtnl mutex

was considered but rejected due to potential deadlocks with

phylink disconnect phy()

and unnecessary blocking of other kernel call paths.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2025-39905

ECHO-B9B2-19CF-778D

Affected Products

Debian

Linux Kernel

CVE-2025-39905

Related Identifiers

Affected Products

References · 18