CVE-2025-39821

{"id": "CVE-2025-39821", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-09-16T13:15:59.300", "references": [{"url": "https://git.kernel.org/stable/c/b64fdd422a85025b5e91ead794db9d3ef970e369", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d689135aa9c5e4e0eab5a92bbe35dab0c8d6677f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Avoid undefined behavior from stopping/starting inactive events\n\nCalling pmu->start()/stop() on perf events in PERF_EVENT_STATE_OFF can\nleave event->hw.idx at -1. When PMU drivers later attempt to use this\nnegative index as a shift exponent in bitwise operations, it leads to UBSAN\nshift-out-of-bounds reports.\n\nThe issue is a logical flaw in how event groups handle throttling when some\nmembers are intentionally disabled. Based on the analysis and the\nreproducer provided by Mark Rutland (this issue on both arm64 and x86-64).\n\nThe scenario unfolds as follows:\n\n 1. A group leader event is configured with a very aggressive sampling\n period (e.g., sample_period = 1). This causes frequent interrupts and\n triggers the throttling mechanism.\n 2. A child event in the same group is created in a disabled state\n (.disabled = 1). This event remains in PERF_EVENT_STATE_OFF.\n Since it hasn't been scheduled onto the PMU, its event->hw.idx remains\n initialized at -1.\n 3. When throttling occurs, perf_event_throttle_group() and later\n perf_event_unthrottle_group() iterate through all siblings, including\n the disabled child event.\n 4. perf_event_throttle()/unthrottle() are called on this inactive child\n event, which then call event->pmu->start()/stop().\n 5. The PMU driver receives the event with hw.idx == -1 and attempts to\n use it as a shift exponent. e.g., in macros like PMCNTENSET(idx),\n leading to the UBSAN report.\n\nThe throttling mechanism attempts to start/stop events that are not\nactively scheduled on the hardware.\n\nMove the state check into perf_event_throttle()/perf_event_unthrottle() so\nthat inactive events are skipped entirely. This ensures only active events\nwith a valid hw.idx are processed, preventing undefined behavior and\nsilencing UBSAN warnings. The corrected check ensures true before\nproceeding with PMU operations.\n\nThe problem can be reproduced with the syzkaller reproducer:"}], "lastModified": "2025-12-02T18:35:40.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5EAC2366-3E84-4F52-AF72-DB8127DB7367", "versionEndExcluding": "6.16.5", "versionStartIncluding": "6.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}