CVE-2025-39866

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-39866
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39866.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-39866
Downstream
Related
Published
2025-09-19T15:26:35.725Z
Modified
2025-11-28T02:34:09.503565Z
Summary
fs: writeback: fix use-after-free in __mark_inode_dirty()
Details

In the Linux kernel, the following vulnerability has been resolved:

fs: writeback: fix use-after-free in _markinode_dirty()

An use-after-free issue occurred when _markinodedirty() get the bdiwriteback that was in the progress of switching.

CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : _markinodedirty+0x124/0x418 lr : _markinodedirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: _markinodedirty+0x124/0x418 genericupdatetime+0x4c/0x60 filemodified+0xcc/0xd0 ext4bufferedwriteiter+0x58/0x124 ext4filewriteiter+0x54/0x704 vfswrite+0x1c0/0x308 ksyswrite+0x74/0x10c _arm64syswrite+0x1c/0x28 invokesyscall+0x48/0x114 el0svccommon.constprop.0+0xc0/0xe0 doel0svc+0x1c/0x28 el0svc+0x40/0xe4 el0t64synchandler+0x120/0x12c el0t64sync+0x194/0x198

Root cause is:

systemd-random-seed kworker

_markinodedirty inodeswitchwbsworkfn

spinlock(&inode->ilock); inodeattachwb lockedinodetowbandlocklist get inode->iwb spinunlock(&inode->ilock); spinlock(&wb->listlock) spinlock(&inode->ilock) inodeiolistmovelocked spinunlock(&wb->listlock) spinunlock(&inode->ilock) spinlock(&oldwb->listlock) inodedoswitchwbs spinlock(&inode->ilock) inode->iwb = newwb spinunlock(&inode->ilock) spinunlock(&oldwb->listlock) wbputmany(oldwb, nrswitched) cgwbrelease old wb released wbwakeup_delayed() accesses wb, then trigger the use-after-free issue

Fix this race condition by holding inode spinlock until wbwakeupdelayed() finished.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39866.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
b187c976111960e6e54a6b1fff724f6e3d39406c
Fixed
1edc2feb9c759a9883dfe81cb5ed231412d8b2e4
Fixed
bf89b1f87c72df79cf76203f71fbf8349cd5c9de
Fixed
e63052921f1b25a836feb1500b841bff7a4a0456
Fixed
c8c14adf80bd1a6e4a1d7ee9c2a816881c26d17a
Fixed
d02d2c98d25793902f65803ab853b592c7a96b29

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.192
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.151
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.105
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.46
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.16.6