CVE-2025-39925

Advisory lineage Upstream: 0 Downstream: 25
Modified
Published: 01 Oct 2025, 08:07
Last modified:11 May 2026, 21:39

Vulnerability Summary

Overall Risk (default)
low
22/100
CVSS Score
5.5 MEDIUM
v3.1 (cve.org)
EPSS Score
0.02% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

01 Oct 2025, 08:07
Published
Vulnerability first disclosed
11 May 2026, 21:39
Last Modified
Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: can: j1939: implement NETDEV_UNREGISTER notification handler syzbot is reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 problem, for j1939 protocol did not have NETDEV_UNREGISTER notification handler for undoing changes made by j1939_sk_bind(). Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback") expects that a call to j1939_priv_put() can be unconditionally delayed until j1939_sk_sock_destruct() is called. But we need to call j1939_priv_put() against an extra ref held by j1939_sk_bind() call (as a part of undoing changes made by j1939_sk_bind()) as soon as NETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct() is called via j1939_sk_release()). Otherwise, the extra ref on "struct j1939_priv" held by j1939_sk_bind() call prevents "struct net_device" from dropping the usage count to 1; making it impossible for unregister_netdevice() to continue. [mkl: remove space in front of label]

CVSS Metrics

  • v3.1MEDIUMScore: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.02% Percentile: 6%

Affected Systems

  • linuxlinux

    ≥ 9d71dd0c70099914fcd063135da3c580865e924c, < da9e8f429139928570407e8f90559b5d46c20262 | ≥ 9d71dd0c70099914fcd063135da3c580865e924c, < 7fcbe5b2c6a4b5407bf2241fdb71e0a390f6ab9a | 5.4

  • linuxlinux_kernel

    ≥ 5.4, < 6.16.8 | 6.17:rc1 | 6.17:rc2 | 6.17:rc3 | 6.17:rc4 | 6.17:rc5

References (2)