CVE-2025-39992 Affecting kernel-cross-headers package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS9-KERNELCROSSHEADERS-13590120
- published17 Oct 2025
- disclosed15 Oct 2025
Introduced: 15 Oct 2025
NewCVE-2025-39992 (opens in a new tab)How to fix?
There is no fixed version for Centos:9 kernel-cross-headers.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-cross-headers package and not the kernel-cross-headers package as distributed by Centos.
See How to fix? for Centos:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
mm: swap: check for stable address space before operating on the VMA
It is possible to hit a zero entry while traversing the vmas in unuse_mm() called from swapoff path and accessing it causes the OOPS:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000446--> Loading the memory from offset 0x40 on the XA_ZERO_ENTRY as address. Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault
The issue is manifested from the below race between the fork() on a process and swapoff: fork(dup_mmap()) swapoff(unuse_mm)
Identical mtree is built using __mt_dup().
copy_pte_range()--> copy_nonpresent_pte(): The dst mm is added into the mmlist to be visible to the swapoff operation.
Fatal signal is sent to the parent process(which is the current during the fork) thus skip the duplication of the vmas and mark the vma range with XA_ZERO_ENTRY as a marker for this process that helps during exit_mmap().
4) swapoff is tried on the 'mm' added to the 'mmlist' as part of the 2.5) unuse_mm(), that iterates through the vma's of this 'mm' will hit the non-NULL zero entry and operating on this zero entry as a vma is resulting into the oops.
The proper fix would be around not exposing this partially-valid tree to others when droping the mmap lock, which is being solved with [1]. A simpler solution would be checking for MMF_UNSTABLE, as it is set if mm_struct is not fully initialized in dup_mmap().
Thanks to Liam/Lorenzo/David for all the suggestions in fixing this issue.
References
- https://access.redhat.com/security/cve/CVE-2025-39992
- https://git.kernel.org/stable/c/1367da7eb875d01102d2ed18654b24d261ff5393
- https://git.kernel.org/stable/c/4e5f060d7347466f77aaff1c0d5a6c4f1fb217ac
- https://git.kernel.org/stable/c/9cddad3b26dac830407d2d3c0de5205ff6d6dda0
- https://git.kernel.org/stable/c/e4e99d69b8b8295c501b2eef89e13306b738b667