CVE-2025-40027

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.1.134-syzkaller-00037-g855bd1d7d838

Description The 9p filesystem client in the Linux kernel contained a race condition where the req list could be deleted simultaneously by both the p9 read work and p9 fd cancelled functions. This occurred when a 9p client sent an invalid flush request and later cleaned it up, or when the 9p client in p9 read work canceled all pending requests. Specifically, the issue stemmed from a double deletion of a request from the req list due to concurrent access and modification of the list under a spinlock. The vulnerability was discovered by Linux Verification Center (linuxtesting.org) using Syzkaller. The fix involves updating the check in p9 fd cancelled to skip processing requests that are not in the SENT state, as any state change from SENT also removes the request from its list.

Recommendations Update the Linux kernel to version 6.1.134-syzkaller-00037-g855bd1d7d838 or later.