CVE-2025-39989: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-39989 is a vulnerability in the Linux kernel related to memory failure handling that was discovered on April 18, 2025. The issue specifically affects the x86/mce subsystem and involves two critical regressions in memory failure handling that appeared in upstream kernel versions since 5.17, compared to 5.10 LTS (NVD, Debian Tracker).

The vulnerability manifests in two scenarios: 1) A 'copyin case' where poison is found in user page while kernel is copying from user space, and 2) An 'instr case' where poison is found while instruction fetching in user space. The issue was introduced by commit 4c132d1d844a which changed the extable fixup type from EXTYPEUACCESS to EXTYPEEFAULT_REG for copy-from-user operations. Red Hat has assigned this vulnerability a CVSS v3 Base Score of 5.5 with Local attack vector and Low attack complexity (Red Hat CVE).

The vulnerability can lead to two types of failures: In the copyin case, it results in a kernel panic since version 5.17. In the instruction fetching case, it causes user processes to be killed by a SIGBUS signal due to a race condition between #CMCI and #MCE (NVD).

The issue has been fixed in various Linux distributions. Debian has fixed the vulnerability in version 6.12.25-1 for sid, while it remains vulnerable in bookworm (6.1.135-1) and trixie (6.12.22-1). Red Hat Enterprise Linux 9 has deferred the fix for both kernel and kernel-rt packages (Debian Tracker, Red Hat CVE).