CVE-2025-39872

MEDIUMNVD 5.55.5—

5.5

In the Linux kernel, the following vulnerability has been resolved:

hsr: hold rcu and dev lock for hsr_get_port_ndev

hsr_get_port_ndev calls hsr_for_each_port, which need to hold rcu lock. On the other hand, before return the port device, we need to hold the device reference to avoid UaF in the caller function.

CVSS v3: 5.5
EG Score: 5.5(medium)
EPSS: 3.1%
KEV: Not listed

Published

September 23, 2025

Last Modified

January 8, 2026

References (3)

416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/68a6729afd3e8e9a2a32538642ce92b96ccf9b1d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/847748fc66d08a89135a74e29362a66ba4e3ab15
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9433ba79c2ec3ec7c9a711748701549339c3438c

Data Freshness Timeline

(refreshed 8× in last 7d / 28× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

2026-06-16 17:52 UTCEPSS rescore
2026-06-16 17:52 UTCEPSS rescore
2026-06-14 23:17 UTCEPSS rescore
2026-06-13 23:00 UTCEPSS rescore
2026-06-12 23:11 UTCEPSS rescore
2026-06-11 14:00 UTCEPSS rescore
2026-06-10 22:18 UTCEPSS rescore
2026-06-10 13:22 UTCEPSS rescore
2026-06-08 14:16 UTCEPSS rescore
2026-06-08 14:16 UTCEPSS rescore
2026-06-07 15:24 UTCEPSS rescore
2026-06-06 13:47 UTCEPSS rescore
2026-06-06 13:47 UTCEPSS rescore
2026-06-05 22:46 UTCEPSS rescore
2026-06-05 22:46 UTCEPSS rescore
2026-06-05 06:10 UTCEPSS rescore
2026-06-05 06:10 UTCEPSS rescore
2026-06-04 13:12 UTCEPSS rescore
2026-06-04 13:12 UTCEPSS rescore
2026-06-02 20:12 UTCEPSS rescore
2026-06-01 13:51 UTCEPSS rescore
2026-06-01 13:51 UTCEPSS rescore
2026-05-31 22:30 UTCEPSS rescore
2026-05-31 22:30 UTCEPSS rescore
2026-05-31 00:16 UTCEPSS rescore

Show 3 more

2026-05-29 22:10 UTCEG score recompute
2026-05-29 22:10 UTCGHSA enrichment
2026-05-29 13:44 UTCEPSS rescore

Frequently asked(5)

What is CVE-2025-39872?

CVE-2025-39872 is a medium vulnerability published on September 23, 2025. In the Linux kernel, the following vulnerability has been resolved: hsr: hold rcu and dev lock for hsrgetport_ndev hsrgetportndev calls hsrforeachport, which need to hold rcu lock. On the other hand, before return the port device, we need to hold the device reference to avoid UaF in the caller…

When was CVE-2025-39872 disclosed?

CVE-2025-39872 was first published in the National Vulnerability Database on September 23, 2025, with the most recent update on January 8, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2025-39872 actively exploited?

CVE-2025-39872 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 3.1% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2025-39872?

CVE-2025-39872 has a CVSS v3 base score of 5.5 (NVD).

How do I remediate CVE-2025-39872?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2025-39872, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2025-39872

Explore →

Is Your Infrastructure Affected by CVE-2025-39872?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2025-39872

📅 Published

🔄 Last Modified

🔗 References (3)