{"id":"AZL-67007","summary":"CVE-2025-39673 affecting package kernel for versions less than 6.6.104.2-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nppp: fix race conditions in ppp_fill_forward_path\n\nppp_fill_forward_path() has two race conditions:\n\n1. The ppp-\u003echannels list can change between list_empty() and\n   list_first_entry(), as ppp_lock() is not held. If the only channel\n   is deleted in ppp_disconnect_channel(), list_first_entry() may\n   access an empty head or a freed entry, and trigger a panic.\n\n2. pch-\u003echan can be NULL. When ppp_unregister_channel() is called,\n   pch-\u003echan is set to NULL before pch is removed from ppp-\u003echannels.\n\nFix these by using a lockless RCU approach:\n- Use list_first_or_null_rcu() to safely test and access the first list\n  entry.\n- Convert list modifications on ppp-\u003echannels to their RCU variants and\n  add synchronize_net() after removal.\n- Check for a NULL pch-\u003echan before dereferencing it.","modified":"2026-04-01T05:21:06.206134Z","published":"2025-09-05T18:15:43Z","upstream":["CVE-2025-39673"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39673"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.104.2-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-67007.json"}}],"schema_version":"1.7.5"}