CVE-2025-39810
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-39810
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39810.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-39810
- Downstream
- Related
- Published
- 2025-09-16T13:00:12Z
- Modified
- 2025-10-18T06:10:03.407892Z
- Summary
- bnxt_en: Fix memory corruption when FW resources change during ifdown
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix memory corruption when FW resources change during ifdown
bnxtsetdfltrings() assumes that it is always called before any TC has been created. So it doesn't take bp->numtc into account and assumes that it is always 0 or 1.
In the FW resource or capability change scenario, the FW will return flags in bnxthwrmifchange() that will cause the driver to reinitialize and call bnxtcancelreservations(). This will lead to bnxtinitdfltringmode() calling bnxtsetdfltrings() and bp->numtc may be greater than 1. This will cause bp->txring[] to be sized too small and cause memory corruption in bnxtalloccp_rings().
Fix it by properly scaling the TX rings by bp->numtc in the code paths mentioned above. Add 2 helper functions to determine bp->txnrrings and bp->txnrringsper_tc.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedec5d31e3c15d5233b491400133c67f78a320062cFixedd00e98977ef519280b075d783653e2c492fffbb6
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedec5d31e3c15d5233b491400133c67f78a320062cFixed9ab6a9950f152e094395d2e3967f889857daa185
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedec5d31e3c15d5233b491400133c67f78a320062cFixed2747328ba2714f1a7454208dbbc1dc0631990b4a
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.3
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.16.1
v6.16.2
v6.16.3
v6.16.4
v6.17-rc1
v6.17-rc2
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"target": {
"function": "bnxt_set_dflt_rings",
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"id": "CVE-2025-39810-26963204",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2747328ba2714f1a7454208dbbc1dc0631990b4a",
"digest": {
"function_hash": "294605896331105177936880505650054940499",
"length": 1516.0
}
},
{
"target": {
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"id": "CVE-2025-39810-35a830ba",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9ab6a9950f152e094395d2e3967f889857daa185",
"digest": {
"threshold": 0.9,
"line_hashes": [
"98202826245097191022744952541617002658",
"207203204086847726759084268396716226644",
"259466131743189472239281169587319825381",
"180516822529054235679462146402938767968",
"111676883770049659497047583300907788618",
"256397189222709966547039711977592185695",
"158788416628224177098085614845476365142",
"82714095992963265582172883436489567956",
"77301985254248348094944868120072604065",
"53291804101683944515237346778115353003",
"131579903586256553454587388119854689294",
"174760114821803522723490172042054046191",
"95994426674726879730787273269797540637",
"86013103312348621264601407099948757506",
"66709215481914728482291752517951294988",
"312982345382153047548753806951705108380",
"20990105369883018412983685617356786795",
"197379810814337941193021308747272773232",
"2046225440962584456816210624093456511",
"254610340467440624942218130111861032741",
"336209692713659266689579145306530604133",
"99047161069699143215396671670961543337",
"20445574900338687622033226120377336939"
]
}
},
{
"target": {
"function": "bnxt_init_dflt_ring_mode",
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"id": "CVE-2025-39810-793b5ba3",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9ab6a9950f152e094395d2e3967f889857daa185",
"digest": {
"function_hash": "210304721416872425462244574782347477318",
"length": 607.0
}
},
{
"target": {
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"id": "CVE-2025-39810-7e936f97",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2747328ba2714f1a7454208dbbc1dc0631990b4a",
"digest": {
"threshold": 0.9,
"line_hashes": [
"98202826245097191022744952541617002658",
"207203204086847726759084268396716226644",
"259466131743189472239281169587319825381",
"180516822529054235679462146402938767968",
"111676883770049659497047583300907788618",
"256397189222709966547039711977592185695",
"158788416628224177098085614845476365142",
"82714095992963265582172883436489567956",
"77301985254248348094944868120072604065",
"53291804101683944515237346778115353003",
"131579903586256553454587388119854689294",
"174760114821803522723490172042054046191",
"95994426674726879730787273269797540637",
"86013103312348621264601407099948757506",
"66709215481914728482291752517951294988",
"312982345382153047548753806951705108380",
"20990105369883018412983685617356786795",
"197379810814337941193021308747272773232",
"2046225440962584456816210624093456511",
"254610340467440624942218130111861032741",
"336209692713659266689579145306530604133",
"99047161069699143215396671670961543337",
"20445574900338687622033226120377336939"
]
}
},
{
"target": {
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"id": "CVE-2025-39810-86c13703",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d00e98977ef519280b075d783653e2c492fffbb6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"98202826245097191022744952541617002658",
"207203204086847726759084268396716226644",
"259466131743189472239281169587319825381",
"180516822529054235679462146402938767968",
"111676883770049659497047583300907788618",
"256397189222709966547039711977592185695",
"158788416628224177098085614845476365142",
"82714095992963265582172883436489567956",
"77301985254248348094944868120072604065",
"53291804101683944515237346778115353003",
"131579903586256553454587388119854689294",
"174760114821803522723490172042054046191",
"95994426674726879730787273269797540637",
"86013103312348621264601407099948757506",
"66709215481914728482291752517951294988",
"312982345382153047548753806951705108380",
"20990105369883018412983685617356786795",
"197379810814337941193021308747272773232",
"2046225440962584456816210624093456511",
"254610340467440624942218130111861032741",
"336209692713659266689579145306530604133",
"99047161069699143215396671670961543337",
"20445574900338687622033226120377336939"
]
}
},
{
"target": {
"function": "bnxt_set_dflt_rings",
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"id": "CVE-2025-39810-8ada01de",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d00e98977ef519280b075d783653e2c492fffbb6",
"digest": {
"function_hash": "294605896331105177936880505650054940499",
"length": 1516.0
}
},
{
"target": {
"function": "bnxt_trim_dflt_sh_rings",
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"id": "CVE-2025-39810-aae6f07e",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2747328ba2714f1a7454208dbbc1dc0631990b4a",
"digest": {
"function_hash": "42819711699868774137218282257939076722",
"length": 290.0
}
},
{
"target": {
"function": "bnxt_init_dflt_ring_mode",
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"id": "CVE-2025-39810-ba56c444",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d00e98977ef519280b075d783653e2c492fffbb6",
"digest": {
"function_hash": "210304721416872425462244574782347477318",
"length": 607.0
}
},
{
"target": {
"function": "bnxt_init_dflt_ring_mode",
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"id": "CVE-2025-39810-c165d5c5",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2747328ba2714f1a7454208dbbc1dc0631990b4a",
"digest": {
"function_hash": "210304721416872425462244574782347477318",
"length": 607.0
}
},
{
"target": {
"function": "bnxt_trim_dflt_sh_rings",
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"id": "CVE-2025-39810-c631306d",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9ab6a9950f152e094395d2e3967f889857daa185",
"digest": {
"function_hash": "42819711699868774137218282257939076722",
"length": 290.0
}
},
{
"target": {
"function": "bnxt_trim_dflt_sh_rings",
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"id": "CVE-2025-39810-dc5fe01f",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d00e98977ef519280b075d783653e2c492fffbb6",
"digest": {
"function_hash": "42819711699868774137218282257939076722",
"length": 290.0
}
},
{
"target": {
"function": "bnxt_set_dflt_rings",
"file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
},
"id": "CVE-2025-39810-f8c8e54c",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9ab6a9950f152e094395d2e3967f889857daa185",
"digest": {
"function_hash": "294605896331105177936880505650054940499",
"length": 1516.0
}
}
]