CVE-2025-39949

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-39949
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39949.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-39949
Downstream
Related
Published
2025-10-04T07:31:10.164Z
Modified
2025-11-28T02:34:35.313456Z
Summary
qed: Don't collect too many protection override GRC elements
Details

In the Linux kernel, the following vulnerability has been resolved:

qed: Don't collect too many protection override GRC elements

In the protection override dump path, the firmware can return far too many GRC elements, resulting in attempting to write past the end of the previously-kmalloc'ed dump buffer.

This will result in a kernel panic with reason:

BUG: unable to handle kernel paging request at ADDRESS

where "ADDRESS" is just past the end of the protection override dump buffer. The start address of the buffer is: phwfn->cdev->dbgfeatures[DBGFEATUREPROTECTIONOVERRIDE].dumpbuf and the size of the buffer is buf_size in the same data structure.

The panic can be arrived at from either the qede Ethernet driver path:

[exception RIP: qed_grc_dump_addr_range+0x108]

qedprotectionoverridedump at ffffffffc02662ed [qed] qeddbgprotectionoverridedump at ffffffffc0267792 [qed] qeddbgfeature at ffffffffc026aa8f [qed] qeddbgalldata at ffffffffc026b211 [qed] qedfwfatalreporterdump at ffffffffc027298a [qed] devlinkhealthdodump at ffffffff82497f61 devlinkhealthreport at ffffffff8249cf29 qedreportfatalerror at ffffffffc0272baf [qed] qedesptask at ffffffffc045ed32 [qede] processonework at ffffffff81d19783

or the qedf storage driver path:

[exception RIP: qed_grc_dump_addr_range+0x108]

qedprotectionoverridedump at ffffffffc068b2ed [qed] qeddbgprotectionoverridedump at ffffffffc068c792 [qed] qeddbgfeature at ffffffffc068fa8f [qed] qeddbgalldata at ffffffffc0690211 [qed] qedfwfatalreporterdump at ffffffffc069798a [qed] devlinkhealthdodump at ffffffff8aa95e51 devlinkhealthreport at ffffffff8aa9ae19 qedreportfatalerror at ffffffffc0697baf [qed] qedhwerrnotify at ffffffffc06d32d7 [qed] qedspqpost at ffffffffc06b1011 [qed] qedfcoedestroyconn at ffffffffc06b2e91 [qed] qedfcleanupfcport at ffffffffc05e7597 [qedf] qedfrporteventhandler at ffffffffc05e7bf7 [qedf] fcrportwork at ffffffffc02da715 [libfc] processone_work at ffffffff8a319663

Resolve this by clamping the firmware's return value to the maximum number of legal elements the firmware should return.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39949.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d52c89f120de849575f6b2e5948038f2be12ce6f
Fixed
25672c620421fa2105703a94a29a03487245e6d6
Fixed
e0e24571a7b2f8c8f06e25d3417253ebbdbc8d5c
Fixed
8141910869596b7a3a5d9b46107da2191d523f82
Fixed
ea53e6a47e148b490b1c652fc65d2de5a086df76
Fixed
660b2a8f5a306a28c7efc1b4990ecc4912a68f87
Fixed
70affe82e38fd3dc76b9c68b5a1989f11e7fa0f3
Fixed
56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.18.0
Fixed
5.10.245
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.194
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.154
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.108
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.49
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.16.9