CVE-2025-39673

The ppp->channels list can change between listempty() and listfirstentry(), as ppplock() is not held. If the only channel is deleted in pppdisconnectchannel(), listfirstentry() may access an empty head or a freed entry, and trigger a panic.
pch->chan can be NULL. When pppunregisterchannel() is called, pch->chan is set to NULL before pch is removed from ppp->channels.

Fix these by using a lockless RCU approach: - Use listfirstornullrcu() to safely test and access the first list entry. - Convert list modifications on ppp->channels to their RCU variants and add synchronize_net() after removal. - Check for a NULL pch->chan before dereferencing it.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39673.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f6efc675c9dd8d93f826b79ae7e33e03301db609

Fixed

9a1969fbffc1f1900d92d7594b1b7d8d72ef3dc7

Fixed

0f1630be6fcca3f0c63e4b242ad202e5cde28a40

Fixed

ca18d751bcc9faf5b7e82e9fae1223d103928181

Fixed

94731cc551e29511d85aa8dec61a6c071b1f2430

Fixed

f97f6475fdcb3c28ff3c55cc4b7bde632119ec08

Fixed

0417adf367a0af11adf7ace849af4638cfb573f7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39673.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.13.0

Fixed

5.15.190

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.149

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.103

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.44

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.16.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39673.json"