CVE-2025-39809
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-12-02

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length The QuickI2C ACPI _DSD methods return ICRS and ISUB data with a trailing byte, making the actual length is one more byte than the structs defined. It caused stack-out-of-bounds and kernel crash: kernel: BUG: KASAN: stack-out-of-bounds in quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c] kernel: Write of size 12 at addr ffff888106d1f900 by task kworker/u33:2/75 kernel: kernel: CPU: 3 UID: 0 PID: 75 Comm: kworker/u33:2 Not tainted 6.16.0+ #3 PREEMPT(voluntary) kernel: Workqueue: async async_run_entry_fn kernel: Call Trace: kernel: <TASK> kernel: dump_stack_lvl+0x76/0xa0 kernel: print_report+0xd1/0x660 kernel: ? __pfx__raw_spin_lock_irqsave+0x10/0x10 kernel: ? __kasan_slab_free+0x5d/0x80 kernel: ? kasan_addr_to_slab+0xd/0xb0 kernel: kasan_report+0xe1/0x120 kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c] kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c] kernel: kasan_check_range+0x11c/0x200 kernel: __asan_memcpy+0x3b/0x80 kernel: quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c] kernel: ? __pfx_quicki2c_acpi_get_dsd_property.constprop.0+0x10/0x10 [intel_quicki2c] kernel: quicki2c_get_acpi_resources+0x237/0x730 [intel_quicki2c] [...] kernel: </TASK> kernel: kernel: The buggy address belongs to stack of task kworker/u33:2/75 kernel: and is located at offset 48 in frame: kernel: quicki2c_get_acpi_resources+0x0/0x730 [intel_quicki2c] kernel: kernel: This frame has 3 objects: kernel: [32, 36) 'hid_desc_addr' kernel: [48, 59) 'i2c_param' kernel: [80, 224) 'i2c_config' ACPI DSD methods return: \_SB.PC00.THC0.ICRS Buffer 000000003fdc947b 001 Len 0C = 0A 00 80 1A 06 00 00 00 00 00 00 00 \_SB.PC00.THC0.ISUB Buffer 00000000f2fcbdc4 001 Len 91 = 00 00 00 00 00 00 00 00 00 00 00 00 Adding reserved padding to quicki2c_subip_acpi_parameter/config.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-12-02
Generated
2026-05-07
AI Q&A
2025-09-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39809
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.14 (inc) to 6.16.5 (exc)
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a stack-out-of-bounds error in the Linux kernel's intel-quicki2c driver related to ACPI _DSD methods. The _DSD methods return ICRS and ISUB data with an extra trailing byte, making the data length one byte longer than the defined structures. This mismatch causes the kernel to write beyond the allocated stack buffer, leading to a stack-out-of-bounds condition and a kernel crash.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash due to a stack-out-of-bounds write, which may lead to system instability or denial of service. The kernel crash occurs when the intel-quicki2c driver processes ACPI data with incorrect length, potentially affecting system reliability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring kernel logs for specific KASAN (Kernel Address Sanitizer) stack-out-of-bounds errors related to the intel_quicki2c driver. You can check the kernel log for messages similar to: 'BUG: KASAN: stack-out-of-bounds in quicki2c_acpi_get_dsd_property'. Commands to detect this include: 'dmesg | grep -i quicki2c' or 'journalctl -k | grep -i quicki2c'. These commands help identify if the kernel has logged any crashes or memory errors related to this vulnerability.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include updating the Linux kernel to a version where this vulnerability is fixed, as the issue has been resolved by adding reserved padding to quicki2c_subip_acpi_parameter/config. Until an update is applied, monitoring for kernel crashes and avoiding workloads that trigger the intel_quicki2c ACPI _DSD methods may reduce risk. There are no specific configuration changes or patches mentioned other than applying the fixed kernel version.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart