CVE-2025-39713
- Source
- https://cve.org/CVERecord?id=CVE-2025-39713
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39713.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-39713
- Downstream
- Related
- Published
- 2025-09-05T17:21:20.459Z
- Modified
- 2026-03-12T02:17:59.536920Z
- Summary
- media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
In the interrupt handler raininterrupt(), the buffer full check on rain->buflen is performed before acquiring rain->buflock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buflen is concurrently accessed and modified in the work handler rainirqwork_handler() under the same lock.
Multiple interrupt invocations can race, with each reading buflen before it becomes full and then proceeding. This can lead to both interrupts attempting to write to the buffer, incrementing buflen beyond its capacity (DATA_SIZE) and causing a buffer overflow.
Fix this bug by moving the spinlock() to before the buffer full check. This ensures that the check and the subsequent buffer modification are performed atomically, preventing the race condition. An corresponding spinunlock() is added to the overflow path to correctly release the lock.
This possible bug was found by an experimental static analysis tool developed by our team.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39713.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1c2769dc80255824542ea5a4ff1a07dcdeb1603f
- https://git.kernel.org/stable/c/2964dbe631fd21ad7873b1752b895548d3c12496
- https://git.kernel.org/stable/c/3c3e33b7edca7a2d6a96801f287f9faeb684d655
- https://git.kernel.org/stable/c/6aaef1a75985865d8c6c5b65fb54152060faba48
- https://git.kernel.org/stable/c/7af160aea26c7dc9e6734d19306128cce156ec40
- https://git.kernel.org/stable/c/ed905fe7cba03cf22ae0b84cf1b73cd1c070423a
- https://git.kernel.org/stable/c/fbc81e78d75bf28972bc22b1599559557b1a1b83
- https://git.kernel.org/stable/c/ff9dd3db6cd4c6b54a2ecbc58151bea4ec63bc59
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39713.json
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-39713
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0f314f6c2e77beb1a232be21dd6be4e1849ba5acFixed2964dbe631fd21ad7873b1752b895548d3c12496Fixed6aaef1a75985865d8c6c5b65fb54152060faba48Fixedfbc81e78d75bf28972bc22b1599559557b1a1b83Fixed3c3e33b7edca7a2d6a96801f287f9faeb684d655Fixed1c2769dc80255824542ea5a4ff1a07dcdeb1603fFixeded905fe7cba03cf22ae0b84cf1b73cd1c070423aFixedff9dd3db6cd4c6b54a2ecbc58151bea4ec63bc59Fixed7af160aea26c7dc9e6734d19306128cce156ec40