CVE-2025-39790
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-11

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Detect events pointing to unexpected TREs When a remote device sends a completion event to the host, it contains a pointer to the consumed TRE. The host uses this pointer to process all of the TREs between it and the host's local copy of the ring's read pointer. This works when processing completion for chained transactions, but can lead to nasty results if the device sends an event for a single-element transaction with a read pointer that is multiple elements ahead of the host's read pointer. For instance, if the host accesses an event ring while the device is updating it, the pointer inside of the event might still point to an old TRE. If the host uses the channel's xfer_cb() to directly free the buffer pointed to by the TRE, the buffer will be double-freed. This behavior was observed on an ep that used upstream EP stack without 'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer is written")'. Where the device updated the events ring pointer before updating the event contents, so it left a window where the host was able to access the stale data the event pointed to, before the device had the chance to update them. The usual pattern was that the host received an event pointing to a TRE that is not immediately after the last processed one, so it got treated as if it was a chained transaction, processing all of the TREs in between the two read pointers. This commit aims to harden the host by ensuring transactions where the event points to a TRE that isn't local_rp + 1 are chained. [mani: added stable tag and reworded commit message]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-11
Last Modified
2025-11-03
Generated
2026-05-07
AI Q&A
2025-09-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39790
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.1.153-1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's MHI bus host driver when processing completion events from a remote device. The device sends a pointer to a consumed Transfer Ring Element (TRE), which the host uses to process TREs between its current read pointer and the pointer received. If the device sends an event for a single-element transaction but the pointer is multiple elements ahead, the host may incorrectly treat it as a chained transaction and process multiple TREs. This can lead to the host accessing stale data and potentially double-freeing buffers, causing instability or crashes. The issue arises because the device updates the event ring pointer before updating the event contents, creating a window where the host reads outdated pointers.


How can this vulnerability impact me? :

This vulnerability can cause the host system to double-free memory buffers due to processing stale or incorrect pointers from the device. This can lead to system instability, crashes, or potential denial of service conditions if exploited or triggered unintentionally.


What immediate steps should I take to mitigate this vulnerability?

Update the Linux kernel to a version that includes the fix for this vulnerability, specifically the commit that ensures the host treats transactions where the event points to a TRE that isn't local_rp + 1 as chained. This hardening prevents double-free conditions caused by stale event pointers.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart