CVE-2025-39886: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's BPF subsystem was discovered and assigned CVE-2025-39886. The issue was publicly disclosed on September 23, 2025, affecting the bpf_timer_init() functionality. The vulnerability specifically impacts the Linux kernel's memory management and locking mechanisms (NVD).

The vulnerability occurs when calling bpf_map_kmalloc_node() from __bpf_async_init(), which can trigger various locking issues. The issue manifests when bpf_timer_init() is called during ops.runnable() operations, potentially leading to double-acquiring of locks such as rq_lock, cgroup_file_kn_lock, and worker_pool::lock. The problem is specifically related to the memcg accounting raising MEMCG_MAX events during these operations (NVD).

The vulnerability can result in system hardlocks due to double-acquiring of the same locks, particularly affecting the kernel's memory management and scheduling subsystems. This can potentially lead to system stability issues and denial of service conditions (NVD).

The issue has been fixed by using __GFP_HIGH instead of GFP_ATOMIC in __bpf_async_init(). This modification ensures that when try_charge_memcg() raises a MEMCG_MAX event, __memcg_memory_event() is called with @allow_spinning=false, preventing the problematic cgroup_file_notify() call (NVD).