CVE-2025-39905

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel contains a flaw in the networking subsystem related to phylink. The issue involves a potential race condition when serializing concurrent writes to pl->phydev with the resolver. Currently, phylink resolve() relies on pl->state mutex to protect against concurrent calls to phylink bringup phy() or phylink disconnect phy() that modify pl->phydev. However, a lock inversion exists where pl->phydev->lock needs to be acquired before pl->state mutex, which requires dereferencing pl->phydev without the protection of pl->state mutex. A new lock has been added to address this, though it is currently redundant, it will become functional when mutex lock(&phy->lock) is moved outside the mutex lock(&pl->state mutex) section. Using the rtnl mutex was considered but rejected due to potential deadlocks with phylink disconnect phy() and unnecessary blocking of other kernel call paths.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.