CVE-2025-39927 | ceph: fix race condition validating r_parent before applying state

In the Linux kernel, the following vulnerability has been resolved: ceph: fix race condition validating r_parent before applying state Add validation to ensure the cached parent directory inode matches the directory info in MDS replies. This prevents client-side race conditions where concurrent operations (e.g. rename) cause r_parent to become stale between request initiation and reply processing, which could lead to applying state changes to incorrect directory inodes. [ idryomov: folded a kerneldoc fixup and a follow-up fix from Alex to move CEPH_CAP_PIN reference when r_parent is updated: When the parent directory lock is not held, req->r_parent can become stale and is updated to point to the correct inode. However, the associated CEPH_CAP_PIN reference was not being adjusted. The CEPH_CAP_PIN is a reference on an inode that is tracked for accounting purposes. Moving this pin is important to keep the accounting balanced. When the pin was not moved from the old parent to the new one, it created two problems: The reference on the old, stale parent was never released, causing a reference leak. A reference for the new parent was never acquired, creating the risk of a reference underflow later in ceph_mdsc_release_request(). This patch corrects the logic by releasing the pin from the old parent and acquiring it for the new parent when r_parent is switched. This ensures reference accounting stays balanced. ]

Published: 2025-10-01 Last update: 2026-06-17 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-39927 is rated Low Risk (19.2/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.10%). Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-39927

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.02% 0.10% +0.08%
2 2025-10-01 0.02%

Full EPSS history (2 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-39927

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.7 3.1 MEDIUM
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.0 3.6 [email protected]
4.7 3.1 MEDIUM
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.0 3.6 134c704f-9b21-4f2e-91b3-4a467353bcc0

Weakness enumeration for CVE-2025-39927

OS Trackers for CVE-2025-39927

vendor priority summary link
debian not yet assigned CVE-2025-39927 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2. https://security-tracker.debian.org/tracker/CVE-2025-39927
redhat medium https://access.redhat.com/security/cve/CVE-2025-39927
suse medium CVE-2025-39927 severity moderate: SUSE including 98 source package names (13.2-9.1:libsqlite3-0-3.49.1-1.1, 2.1.3-6.31:libsqlite3-0-3.49.1-1.1, …), 246 product×package rows across 36 product lines (Container suse/sl-micro/6.0/baremetal-os-container, Container suse/sl-micro/6.0/base-os-container, … (36 product lines)): Fixed 165, Known Not Affected 56, First Fixed 25. https://www.suse.com/security/cve/CVE-2025-39927/
ubuntu medium CVE-2025-39927 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1414 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1017, ignored 180, released 117, needed 80, not-affected 16, needs-triage 2, pending 2. https://ubuntu.com/security/CVE-2025-39927

Affected software / configurations for CVE-2025-39927

Vendor Product Version Raw CPE
linux linux_kernel >= 2.6.35, < 6.12.48 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.13, < 6.16.8 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel 2.6.34 cpe:2.3:o:linux:linux_kernel:2.6.34:-:*:*:*:*:*:*
linux linux_kernel 2.6.34 cpe:2.3:o:linux:linux_kernel:2.6.34:rc2:*:*:*:*:*:*
linux linux_kernel 2.6.34 cpe:2.3:o:linux:linux_kernel:2.6.34:rc3:*:*:*:*:*:*
linux linux_kernel 2.6.34 cpe:2.3:o:linux:linux_kernel:2.6.34:rc4:*:*:*:*:*:*
linux linux_kernel 2.6.34 cpe:2.3:o:linux:linux_kernel:2.6.34:rc5:*:*:*:*:*:*
linux linux_kernel 2.6.34 cpe:2.3:o:linux:linux_kernel:2.6.34:rc6:*:*:*:*:*:*
linux linux_kernel 2.6.34 cpe:2.3:o:linux:linux_kernel:2.6.34:rc7:*:*:*:*:*:*
linux linux_kernel 6.17 cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*
linux linux_kernel 6.17 cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*
linux linux_kernel 6.17 cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*
linux linux_kernel 6.17 cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*
linux linux_kernel 6.17 cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*

References for CVE-2025-39927

cvelogic Threat Intelligence