CVE-2025-39790
Description
In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Detect events pointing to unexpected TREs When a remote device sends a completion event to the host, it contains a pointer to the consumed TRE. The host uses this pointer to process all of the TREs between it and the host's local copy of the ring's read pointer. This works when processing completion for chained transactions, but can lead to nasty results if the device sends an event for a single-element transaction with a read pointer that is multiple elements ahead of the host's read pointer. For instance, if the host accesses an event ring while the device is updating it, the pointer inside of the event might still point to an old TRE. If the host uses the channel's xfer_cb() to directly free the buffer pointed to by the TRE, the buffer will be double-freed. This behavior was observed on an ep that used upstream EP stack without 'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer is written")'. Where the device updated the events ring pointer before updating the event contents, so it left a window where the host was able to access the stale data the event pointed to, before the device had the chance to update them. The usual pattern was that the host received an event pointing to a TRE that is not immediately after the last processed one, so it got treated as if it was a chained transaction, processing all of the TREs in between the two read pointers. This commit aims to harden the host by ensuring transactions where the event points to a TRE that isn't local_rp + 1 are chained. [mani: added stable tag and reworded commit message]
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 6.1.153-1 |
| debian | forky | fixed | 6.16.5-1 |
| debian | sid | fixed | 6.16.5-1 |
| debian | trixie | fixed | 6.12.48-1 |
| debian | bullseye | fixed | 6.1.153-1~deb11u1 |
| linux-kernel | affected | 5.15.190 | |
| debian | 11.0 | affected | |
References
- https://git.kernel.org/stable/c/2ec99b922f4661521927eeada76f431eebfbabc4
- https://git.kernel.org/stable/c/4079c6c59705b96285219b9efc63cab870d757b7
- https://git.kernel.org/stable/c/44e1a079e18f78d6594a715b0c6d7e18c656f7b9
- https://git.kernel.org/stable/c/5bd398e20f0833ae8a1267d4f343591a2dd20185
- https://git.kernel.org/stable/c/5e17429679a8545afe438ce7a82a13a54e8ceabb
- https://git.kernel.org/stable/c/7b3f0e3b60c27f4fcb69927d84987e5fd6240530
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://cert-portal.siemens.com/productcert/html/ssa-032379.html
- https://www.suse.com/security/cve/CVE-2025-39790.html
- https://security-tracker.debian.org/tracker/CVE-2025-39790
CWEs
CWE-415
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.