CVE-2025-39915: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-39915 is a vulnerability discovered in the Linux kernel related to a circular locking dependency between statemutex and phylock in the network PHY driver component. The vulnerability was disclosed on October 1, 2025, affecting the Linux kernel's networking subsystem, specifically the phylink component (NVD, RedHat).

The vulnerability stems from a circular locking dependency (AB/BA) between &pl->statemutex and &phy->lock. The issue occurs in the phylinkresolve() function which acquires &pl->statemutex and then calls phylinkmajorconfig() which leads to phyconfiginband() acquiring &pl->phydev->lock. This locking scheme is reversed compared to other call sites where &pl->phydev->lock is acquired at the top level and &pl->statemutex at the lower level. The vulnerability has been assigned a CVSS v3.1 score of 7.0 (High) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (RedHat).

The vulnerability creates a serious deadlock risk in the kernel if an existing phylinkresolve() thread, which results in a phyconfiginband() call, runs concurrently with a phylinkup() or phylink_down() call. While the practical impact may be limited by the slow speed of the medium auto-negotiation protocol, making it unlikely for the current state to still be unresolved when a new one is detected, the potential for deadlock remains (NVD).

The solution involves transferring the phyconfiginband() requirement of having phydev->lock acquired to the caller (phylink). The lock acquisition must be moved up in the call chain to occur immediately before &pl->state_mutex is acquired, for cases where that takes place (NVD).