CVE-2025-39926

Published: Oct 1, 2025

Modified: May 11, 2026

PUBLISHED

Description

In the Linux kernel, the following vulnerability has been resolved: genetlink: fix genl_bind() invoking bind() after -EPERM Per family bind/unbind callbacks were introduced to allow families to track multicast group consumer presence, e.g. to start or stop producing events depending on listeners. However, in genl_bind() the bind() callback was invoked even if capability checks failed and ret was set to -EPERM. This means that callbacks could run on behalf of unauthorized callers while the syscall still returned failure to user space. Fix this by only invoking bind() after "if (ret) break;" check i.e. after permission checks have succeeded.

Vendor	Product	Versions
Linux	Linux	affected `3de21a8990d3c2cc507e9cc4ed00f36358d5b93e - < 98c9d884047a3051c203708914a874dece3cbe54` affected `3de21a8990d3c2cc507e9cc4ed00f36358d5b93e - < 8858c1e9405906c09589d7c336f04058ea198207` affected `3de21a8990d3c2cc507e9cc4ed00f36358d5b93e - < 1dbfb0363224f6da56f6655d596dc5097308d6f5`
Linux	Linux	affected `6.9` unaffected `0 - < 6.9` unaffected `6.12.48 - <= 6.12.` unaffected `6.16.8 - <= 6.16.` unaffected `6.17 - <= *`

References

https://git.kernel.org/stable/c/98c9d884047a3051c203708914a874dece3cbe54

https://git.kernel.org/stable/c/8858c1e9405906c09589d7c336f04058ea198207

https://git.kernel.org/stable/c/1dbfb0363224f6da56f6655d596dc5097308d6f5

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-39926

Description

Affected Products

References