CVE-2025-39877: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-39877 is a use-after-free vulnerability discovered in the Linux kernel's DAMON (Data Access MONitor) subsystem, specifically in the state_show() function. The vulnerability was publicly disclosed on September 23, 2025, affecting various Linux distributions and their kernel versions (NVD, Ubuntu).

The vulnerability occurs in mm/damon/sysfs where state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock. This creates a race condition that can lead to a use-after-free scenario when the context is freed or replaced under damon_sysfs_lock by concurrent operations like damon_sysfs_kdamonds_rm_dirs() and damon_sysfs_kdamond_release(). The issue has existed since state_show() first accessed kdamond->damon_ctx (NVD).

The vulnerability affects multiple Linux distributions including Ubuntu, Debian, and their derivatives. In Ubuntu, it impacts various kernel flavors including linux-azure, linux-gcp, and linux-aws across different versions. For Debian, it affects multiple releases including bookworm and trixie (Ubuntu, Debian).

The fix involves taking damon_sysfs_lock before dereferencing the context, mirroring the locking mechanism used in pid_show(). Various Linux distributions have released patches to address this vulnerability. For example, Debian has fixed versions available in bullseye (5.10.237-1) and trixie (6.12.48-1) (Debian).