CVE-2025-39736: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-39736 is a vulnerability in the Linux kernel's memory leak detection subsystem (kmemleak) discovered and disclosed on September 11, 2025. The vulnerability affects the memory management component, specifically in the handling of warning messages while holding the kmemleak lock (NVD).

The vulnerability occurs when netpoll is enabled and prwarnonce() is called while holding kmemleaklock in mempoolalloc(). This creates a deadlock due to lock inversion with the netconsole subsystem, as prwarnonce() may trigger netpoll, which leads to _allocskb() attempting to reacquire kmemleaklock. The vulnerability has been assigned a CVSS v3.1 score of 5.5 with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability can cause a system deadlock when specific conditions are met in the kernel's memory leak detection system. This primarily affects system availability by potentially causing the system to become unresponsive when the vulnerability is triggered (Red Hat).

The fix involves setting a flag and moving the prwarnonce() call outside of the kmemleak_lock section. This has been implemented in various Linux kernel versions. Red Hat has marked this for deferred fixes in Enterprise Linux 8, 9, and 10, while version 7 is not affected (Red Hat).