CVE-2025-39928
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-01

Last updated on: 2025-12-10

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: i2c: rtl9300: ensure data length is within supported range Add an explicit check for the xfer length to 'rtl9300_i2c_config_xfer' to ensure the data length isn't within the supported range. In particular a data length of 0 is not supported by the hardware and causes unintended or destructive behaviour. This limitation becomes obvious when looking at the register documentation [1]. 4 bits are reserved for DATA_WIDTH and the value of these 4 bits is used as N + 1, allowing a data length range of 1 <= len <= 16. Affected by this is the SMBus Quick Operation which works with a data length of 0. Passing 0 as the length causes an underflow of the value due to: (len - 1) & 0xf and effectively specifying a transfer length of 16 via the registers. This causes a 16-byte write operation instead of a Quick Write. For example, on SFP modules without write-protected EEPROM this soft-bricks them by overwriting some initial bytes. For completeness, also add a quirk for the zero length. [1] https://svanheule.net/realtek/longan/register/i2c_mst1_ctrl2
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-01
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-10-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-39928
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.16.8 (exc)
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel's i2c rtl9300 driver occurs because the code did not properly check the data length for I2C transfers. Specifically, a data length of 0 is not supported by the hardware but was allowed, causing an underflow that made the hardware interpret the length as 16 bytes instead of 0. This leads to unintended behavior such as overwriting data during SMBus Quick Operations, which expect a zero-length transfer. This can cause destructive effects like soft-bricking SFP modules by overwriting initial bytes of their EEPROM.

Impact Analysis

This vulnerability can cause unintended or destructive behavior on hardware using the rtl9300 I2C controller. For example, it can overwrite critical data on devices like SFP modules that do not have write-protected EEPROM, potentially soft-bricking them. This means devices relying on this driver could malfunction or become unusable due to corrupted data caused by incorrect data length handling.

Mitigation Strategies

To mitigate this vulnerability, ensure your Linux kernel is updated to a version that includes the fix for the rtl9300 i2c driver, which adds an explicit check for data length in rtl9300_i2c_config_xfer. Avoid performing SMBus Quick Operations that use a data length of 0 on affected hardware until the fix is applied, as this can cause destructive behavior such as overwriting EEPROM data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-39928. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart