CVE-2025-39810
- Source
- https://cve.org/CVERecord?id=CVE-2025-39810
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39810.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-39810
- Downstream
- Related
- Published
- 2025-09-16T13:00:12.677Z
- Modified
- 2026-03-20T12:43:03.612100Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- bnxt_en: Fix memory corruption when FW resources change during ifdown
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix memory corruption when FW resources change during ifdown
bnxtsetdfltrings() assumes that it is always called before any TC has been created. So it doesn't take bp->numtc into account and assumes that it is always 0 or 1.
In the FW resource or capability change scenario, the FW will return flags in bnxthwrmifchange() that will cause the driver to reinitialize and call bnxtcancelreservations(). This will lead to bnxtinitdfltringmode() calling bnxtsetdfltrings() and bp->numtc may be greater than 1. This will cause bp->txring[] to be sized too small and cause memory corruption in bnxtalloccp_rings().
Fix it by properly scaling the TX rings by bp->numtc in the code paths mentioned above. Add 2 helper functions to determine bp->txnrrings and bp->txnrringsper_tc.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39810.json" }- References
-
- https://git.kernel.org/stable/c/2747328ba2714f1a7454208dbbc1dc0631990b4a
- https://git.kernel.org/stable/c/9ab6a9950f152e094395d2e3967f889857daa185
- https://git.kernel.org/stable/c/d00e98977ef519280b075d783653e2c492fffbb6
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39810.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-39810
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git