1. Home
  2. Vulnerabilities
  3. CVE-2025-39841
0.0
NA
CVE-2025-39841
scsi: lpfc: Fix buffer free/clear order in deferred receive path
Description

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the RQ buffer first and only then cleared the context pointer under the lock. Concurrent paths (e.g., ABTS and the repost path) also inspect and release the same pointer under the lock, so the old order could lead to double-free/UAF. Note that the repost path already uses the correct pattern: detach the pointer under the lock, then free it after dropping the lock. The deferred path should do the same.

INFO

Published Date :

Sept. 19, 2025, 4:15 p.m.

Last Modified :

Sept. 19, 2025, 4:15 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Products

The following products are affected by CVE-2025-39841 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
Solution
Correct buffer release sequence to prevent use-after-free and double-free vulnerabilities.
  • Update the Linux kernel to the latest version.
  • Apply the specific patch for the scsi: lpfc driver.
  • Ensure correct buffer release order in drivers.
  • Review deferred receive path logic for similar issues.
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-39841.

URL Resource
https://git.kernel.org/stable/c/367cb5ffd8a8a4c85dc89f55e7fa7cc191425b11
https://git.kernel.org/stable/c/55658c7501467ca9ef3bd4453dd920010db8bc13
https://git.kernel.org/stable/c/897f64b01c1249ac730329b83f4f40bab71e86c7
https://git.kernel.org/stable/c/95b63d15fce5c54a73bbf195e1aacb5a75b128e2
https://git.kernel.org/stable/c/9dba9a45c348e8460da97c450cddf70b2056deb3
https://git.kernel.org/stable/c/ab34084f42ee06a9028d67c78feafb911d33d111
https://git.kernel.org/stable/c/baa39f6ad79d372a6ce0aa639fbb2f1578479f57
https://git.kernel.org/stable/c/d96cc9a1b57725930c60b607423759d563b4d900
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-39841 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-39841 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-39841 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-39841 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Sep. 19, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the RQ buffer first and only then cleared the context pointer under the lock. Concurrent paths (e.g., ABTS and the repost path) also inspect and release the same pointer under the lock, so the old order could lead to double-free/UAF. Note that the repost path already uses the correct pattern: detach the pointer under the lock, then free it after dropping the lock. The deferred path should do the same.
    Added Reference https://git.kernel.org/stable/c/367cb5ffd8a8a4c85dc89f55e7fa7cc191425b11
    Added Reference https://git.kernel.org/stable/c/55658c7501467ca9ef3bd4453dd920010db8bc13
    Added Reference https://git.kernel.org/stable/c/897f64b01c1249ac730329b83f4f40bab71e86c7
    Added Reference https://git.kernel.org/stable/c/95b63d15fce5c54a73bbf195e1aacb5a75b128e2
    Added Reference https://git.kernel.org/stable/c/9dba9a45c348e8460da97c450cddf70b2056deb3
    Added Reference https://git.kernel.org/stable/c/ab34084f42ee06a9028d67c78feafb911d33d111
    Added Reference https://git.kernel.org/stable/c/baa39f6ad79d372a6ce0aa639fbb2f1578479f57
    Added Reference https://git.kernel.org/stable/c/d96cc9a1b57725930c60b607423759d563b4d900
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
No CVSS metrics available for this vulnerability.