[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2025-39881":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":19,"related":20,"reserved_at":9,"published_at":21,"modified_at":22,"state":9,"summary":23,"references_raw":25,"kevs":32,"epss":9,"epss_history":33,"metrics":34,"affected":41},"DEBIAN-CVE-2025-39881","In the Linux kernel, the following vulnerability has been resolved:  kernfs: Fix UAF in polling when open file is released  A use-after-free (UAF) vulnerability was identified in the PSI (Pressure Stall Information) monitoring mechanism:  BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140 Read of size 8 at addr ffff3de3d50bd308 by task systemd/1  psi_trigger_poll+0x3c/0x140 cgroup_pressure_poll+0x70/0xa0 cgroup_file_poll+0x8c/0x100 kernfs_fop_poll+0x11c/0x1c0 ep_item_poll.isra.0+0x188/0x2c0  Allocated by task 1: cgroup_file_open+0x88/0x388 kernfs_fop_open+0x73c/0xaf0 do_dentry_open+0x5fc/0x1200 vfs_open+0xa0/0x3f0 do_open+0x7e8/0xd08 path_openat+0x2fc/0x6b0 do_filp_open+0x174/0x368  Freed by task 8462: cgroup_file_release+0x130/0x1f8 kernfs_drain_open_files+0x17c/0x440 kernfs_drain+0x2dc/0x360 kernfs_show+0x1b8/0x288 cgroup_file_show+0x150/0x268 cgroup_pressure_write+0x1dc/0x340 cgroup_file_write+0x274/0x548  Reproduction Steps: 1. Open test/cpu.pressure and establish epoll monitoring 2. Disable monitoring: echo 0 > test/cgroup.pressure 3. Re-enable monitoring: echo 1 > test/cgroup.pressure  The race condition occurs because: 1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it:    - Releases PSI triggers via cgroup_file_release()    - Frees of->priv through kernfs_drain_open_files() 2. While epoll still holds reference to the file and continues polling 3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv  epolling\t\t\tdisable/enable cgroup.pressure fd=open(cpu.pressure) while(1) ... epoll_wait kernfs_fop_poll kernfs_get_active = true\techo 0 > cgroup.pressure ...\t\t\t\tcgroup_file_show \t\t\t\tkernfs_show \t\t\t\t// inactive kn \t\t\t\tkernfs_drain_open_files \t\t\t\tcft->release(of); \t\t\t\tkfree(ctx); \t\t\t\t... kernfs_get_active = false \t\t\t\techo 1 > cgroup.pressure \t\t\t\tkernfs_show \t\t\t\tkernfs_activate_one(kn); kernfs_fop_poll kernfs_get_active = true cgroup_file_poll psi_trigger_poll // UAF ... end: close(fd)  To address this issue, introduce kernfs_get_active_of() for kernfs open files to obtain active references. This function will fail if the open file has been released. Replace kernfs_get_active() with kernfs_get_active_of() to prevent further operations on released file descriptors.",null,[],[],[],[14],{"_key":15},"CVE-2025-39881",[17],{"_key":18},"DLA-4328-1",[],[],"2025-09-23T06:15:47.793Z","2026-04-28T20:30:07.596968Z",{"cisa_kev":24,"cisa_ransomware":24,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[26],{"url":27,"sources":28,"tags":30},"https://security-tracker.debian.org/tracker/CVE-2025-39881",[29],"osv_debian",[31],"Advisory",[],[],[35],{"source":29,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":36,"cvss_v4_0":9},{"baseScore":37,"baseSeverity":9,"vectorString":38,"impactScore":39,"exploitabilityScore":40},7.8,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",9.8,4.6,[42,60],{"ecosystem":43,"name":44,"vendor":45,"product":44,"cpe_part":9,"purl_type":46,"purl_namespace":45,"purl_name":44,"source":9,"versions":47},"Debian","linux","debian","deb",[48,54,57],{"version":49,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":52,"version_end_type":53,"fixed_in":9},"lt6_1_153_1",true,"ecosystem","6.1.153-1","excluding",{"version":55,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":56,"version_end_type":53,"fixed_in":9},"lt6_12_48_1","6.12.48-1",{"version":58,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":59,"version_end_type":53,"fixed_in":9},"lt6_16_8_1","6.16.8-1",{"ecosystem":43,"name":61,"vendor":45,"product":61,"cpe_part":9,"purl_type":46,"purl_namespace":45,"purl_name":61,"source":9,"versions":62},"linux-6.1",[63],{"version":64,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":65,"version_end_type":53,"fixed_in":9},"lt6_1_153_1~deb11u1","6.1.153-1~deb11u1"]