AZL-67431

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-67431.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-67431

Upstream

CVE-2025-39810

Published

2025-09-16T13:15:53Z

Modified

2026-04-01T05:21:12.125079Z

Summary

CVE-2025-39810 affecting package kernel 6.6.126.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix memory corruption when FW resources change during ifdown

bnxtsetdfltrings() assumes that it is always called before any TC has been created. So it doesn't take bp->numtc into account and assumes that it is always 0 or 1.

In the FW resource or capability change scenario, the FW will return flags in bnxthwrmifchange() that will cause the driver to reinitialize and call bnxtcancelreservations(). This will lead to bnxtinitdfltringmode() calling bnxtsetdfltrings() and bp->numtc may be greater than 1. This will cause bp->txring[] to be sized too small and cause memory corruption in bnxtalloccp_rings().

Fix it by properly scaling the TX rings by bp->numtc in the code paths mentioned above. Add 2 helper functions to determine bp->txnrrings and bp->txnrringsper_tc.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-39810

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

6.6.126.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-67431.json"