Acknowledged
Created: Sep 7, 2025
Updated: Sep 8, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]ppp: fix race conditions in ppp_fill_forward_path[EOL][EOL]ppp_fill_forward_path() has two race conditions:[EOL][EOL]1. The ppp->channels list can change between list_empty() and[EOL] list_first_entry(), as ppp_lock() is not held. If the only channel[EOL] is deleted in ppp_disconnect_channel(), list_first_entry() may[EOL] access an empty head or a freed entry, and trigger a panic.[EOL][EOL]2. pch->chan can be NULL. When ppp_unregister_channel() is called,[EOL] pch->chan is set to NULL before pch is removed from ppp->channels.[EOL][EOL]Fix these by using a lockless RCU approach:[EOL]- Use list_first_or_null_rcu() to safely test and access the first list[EOL] entry.[EOL]- Convert list modifications on ppp->channels to their RCU variants and[EOL] add synchronize_net() after removal.[EOL]- Check for a NULL pch->chan before dereferencing it.
CREATE(Triage):(User=admin) [CVE-2025-39673 (https://nvd.nist.gov/vuln/detail/CVE-2025-39673)
