2400629 – (CVE-2025-39925) CVE-2025-39925 kernel: can: j1939: implement NETDEV_UNREGISTER notification handler

Bug 2400629 (CVE-2025-39925) - CVE-2025-39925 kernel: can: j1939: implement NETDEV_UNREGISTER notification handler

Summary: CVE-2025-39925 kernel: can: j1939: implement NETDEV_UNREGISTER notification h...

Keywords:
Status:	NEW
Alias:	CVE-2025-39925
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-01 09:01 UTC by OSIDB Bzimport
Modified:	2026-01-14 09:47 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:22854	None	None	None	2025-12-08 14:42:44 UTC
Red Hat Product Errata	RHSA-2025:22865	None	None	None	2025-12-08 17:59:38 UTC
Red Hat Product Errata	RHSA-2025:23789	None	None	None	2025-12-22 03:02:30 UTC
Red Hat Product Errata	RHSA-2026:0173	None	None	None	2026-01-07 00:47:01 UTC
Red Hat Product Errata	RHSA-2026:0271	None	None	None	2026-01-08 00:32:23 UTC
Red Hat Product Errata	RHSA-2026:0534	None	None	None	2026-01-14 00:09:22 UTC
Red Hat Product Errata	RHSA-2026:0535	None	None	None	2026-01-14 00:28:42 UTC
Red Hat Product Errata	RHSA-2026:0537	None	None	None	2026-01-14 00:07:29 UTC
Red Hat Product Errata	RHSA-2026:0576	None	None	None	2026-01-14 09:47:45 UTC

Description OSIDB Bzimport 2025-10-01 09:01:49 UTC

In the Linux kernel, the following vulnerability has been resolved:

can: j1939: implement NETDEV_UNREGISTER notification handler

syzbot is reporting

  unregister_netdevice: waiting for vcan0 to become free. Usage count = 2

problem, for j1939 protocol did not have NETDEV_UNREGISTER notification
handler for undoing changes made by j1939_sk_bind().

Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct
callback") expects that a call to j1939_priv_put() can be unconditionally
delayed until j1939_sk_sock_destruct() is called. But we need to call
j1939_priv_put() against an extra ref held by j1939_sk_bind() call
(as a part of undoing changes made by j1939_sk_bind()) as soon as
NETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct()
is called via j1939_sk_release()). Otherwise, the extra ref on "struct
j1939_priv" held by j1939_sk_bind() call prevents "struct net_device" from
dropping the usage count to 1; making it impossible for
unregister_netdevice() to continue.

[mkl: remove space in front of label]

Comment 1 Alexander B 2025-10-02 11:40:16 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100124-CVE-2025-39925-bcec@gregkh/T

Comment 3 errata-xmlrpc 2025-12-08 14:42:43 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:22854 https://access.redhat.com/errata/RHSA-2025:22854

Comment 4 errata-xmlrpc 2025-12-08 17:59:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:22865 https://access.redhat.com/errata/RHSA-2025:22865

Comment 5 errata-xmlrpc 2025-12-22 03:02:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:23789 https://access.redhat.com/errata/RHSA-2025:23789

Comment 6 errata-xmlrpc 2026-01-07 00:47:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:0173 https://access.redhat.com/errata/RHSA-2026:0173

Comment 7 errata-xmlrpc 2026-01-08 00:32:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:0271 https://access.redhat.com/errata/RHSA-2026:0271

Comment 8 errata-xmlrpc 2026-01-14 00:07:28 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:0537 https://access.redhat.com/errata/RHSA-2026:0537

Comment 9 errata-xmlrpc 2026-01-14 00:09:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:0534 https://access.redhat.com/errata/RHSA-2026:0534

Comment 10 errata-xmlrpc 2026-01-14 00:28:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:0535 https://access.redhat.com/errata/RHSA-2026:0535

Comment 11 errata-xmlrpc 2026-01-14 09:47:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:0576 https://access.redhat.com/errata/RHSA-2026:0576

Note You need to log in before you can comment on or make changes to this bug.