DEBIAN-CVE-2025-39673
In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp_fill_forward_path ppp_fill_forward_path() has two race conditions: 1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_entry() may access an empty head or a freed entry, and trigger a panic. 2. pch->chan can be NULL. When ppp_unregister_channel() is called, pch->chan is set to NULL before pch is removed from ppp->channels. Fix these by using a lockless RCU approach: - Use list_first_or_null_rcu() to safely test and access the first list entry. - Convert list modifications on ppp->channels to their RCU variants and add synchronize_net() after removal. - Check for a NULL pch->chan before dereferencing it.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | linux-6.1 | 0, *, 6.1.148-1 |
| Debian:13 | linux | 6.12.38-1, 6.12.43-1, 6.12.43-1 |
| Debian:12 | linux | 6.1.106-1, 0, 6.1.106-1 |
| Debian:14 | linux | 6.13.9-1~exp1, 6.13.8-1~exp1, 6.13.7-1~exp1 |
Exploit Intelligence
- 4081.3.6.yml (github-poc)
Timeline
- Sep 5, 2025 CVE Published
- Apr 28, 2026 CVE Updated