CVE-2025-39847: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-39847 is a memory leak vulnerability discovered in the Linux kernel's PPP (Point-to-Point Protocol) implementation, specifically in the pad_compress_skb function. The vulnerability was disclosed on September 19, 2025, and affects the Linux kernel's network stack (NVD).

The vulnerability occurs when alloc_skb() fails in pad_compress_skb(), causing it to return NULL without releasing the old skb. The problematic code path involves the caller executing 'skb = pad_compress_skb(ppp, skb);' followed by a NULL check that leads to a drop label. When pad_compress_skb() returns NULL, the reference to the old skb is lost and kfree_skb(skb) becomes ineffective, resulting in a memory leak (NVD).

The vulnerability leads to memory leaks in the Linux kernel's networking stack, which could potentially cause system resource exhaustion over time (NVD).

The issue has been addressed by aligning pad_compress_skb() semantics with realloc(): the old skb is only freed if allocation and compression succeed. At the call site, a new_skb variable is now used to prevent losing the original skb when pad_compress_skb() fails. The fix has been included in Linux kernel version 6.12.48-1 for Debian's stable distribution (trixie) (Debian Security).