CVE-2025-39810
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-12-02

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix memory corruption when FW resources change during ifdown bnxt_set_dflt_rings() assumes that it is always called before any TC has been created. So it doesn't take bp->num_tc into account and assumes that it is always 0 or 1. In the FW resource or capability change scenario, the FW will return flags in bnxt_hwrm_if_change() that will cause the driver to reinitialize and call bnxt_cancel_reservations(). This will lead to bnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp->num_tc may be greater than 1. This will cause bp->tx_ring[] to be sized too small and cause memory corruption in bnxt_alloc_cp_rings(). Fix it by properly scaling the TX rings by bp->num_tc in the code paths mentioned above. Add 2 helper functions to determine bp->tx_nr_rings and bp->tx_nr_rings_per_tc.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-12-02
Generated
2026-06-16
AI Q&A
2025-09-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-39810
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.4 (inc) to 6.12.45 (exc)
linux linux_kernel From 6.13 (inc) to 6.16.5 (exc)
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's bnxt_en driver where a function called bnxt_set_dflt_rings() incorrectly assumes it is always called before any traffic classes (TC) are created, meaning it assumes the number of TCs (bp->num_tc) is 0 or 1. However, when firmware (FW) resources or capabilities change, the driver reinitializes and bp->num_tc can be greater than 1. This causes the driver to allocate too small a size for the transmit (TX) rings, leading to memory corruption during ring allocation. The fix involves properly scaling the TX rings based on the actual number of TCs and adding helper functions to correctly determine the number of TX rings.

Impact Analysis

This vulnerability can lead to memory corruption in the Linux kernel network driver, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service by exploiting the corrupted memory.

Mitigation Strategies

Apply the patch or update to the Linux kernel version that includes the fix for the bnxt_en driver memory corruption issue. Specifically, ensure that the driver properly handles the number of traffic classes (bp->num_tc) when setting default TX rings to prevent memory corruption. Until the update is applied, avoid scenarios that trigger firmware resource or capability changes that cause driver reinitialization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-39810. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart