{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39787", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.131Z", "datePublished": "2025-09-11T16:56:36.426Z", "dateUpdated": "2025-09-11T16:56:36.426Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-11T16:56:36.426Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: mdt_loader: Ensure we don't read past the ELF header\n\nWhen the MDT loader is used in remoteproc, the ELF header is sanitized\nbeforehand, but that's not necessary the case for other clients.\n\nValidate the size of the firmware buffer to ensure that we don't read\npast the end as we iterate over the header. e_phentsize and e_shentsize\nare validated as well, to ensure that the assumptions about step size in\nthe traversal are valid."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/soc/qcom/mdt_loader.c"], "versions": [{"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1", "lessThan": "1096eb63ecfc8df90b70cd068e6de0c2ff204dfd", "status": "affected", "versionType": "git"}, {"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1", "lessThan": "e1720eb32acf411c328af6a8c8f556c94535808e", "status": "affected", "versionType": "git"}, {"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1", "lessThan": "0d59ce2bfc3bb13abe6240335a1bf7b96536d022", "status": "affected", "versionType": "git"}, {"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1", "lessThan": "43d26997d88c4056fce0324e72f62556bc7e8e8d", "status": "affected", "versionType": "git"}, {"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1", "lessThan": "981c845f29838e468a9bfa87f784307193a31297", "status": "affected", "versionType": "git"}, {"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1", "lessThan": "87bfabb3b2f46827639173f143aa43f7cfc0a7e6", "status": "affected", "versionType": "git"}, {"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1", "lessThan": "81278be4eb5f08ba2c68c3055893e61cc03727fe", "status": "affected", "versionType": "git"}, {"version": "2aad40d911eeb7dcac91c669f2762a28134f0eb1", "lessThan": "9f9967fed9d066ed3dae9372b45ffa4f6fccfeef", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/soc/qcom/mdt_loader.c"], "versions": [{"version": "4.11", "status": "affected"}, {"version": "0", "lessThan": "4.11", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.297", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.241", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.190", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.149", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.103", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.44", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.4", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "5.4.297"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "5.10.241"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "5.15.190"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "6.1.149"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "6.6.103"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "6.12.44"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "6.16.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "6.17-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1096eb63ecfc8df90b70cd068e6de0c2ff204dfd"}, {"url": "https://git.kernel.org/stable/c/e1720eb32acf411c328af6a8c8f556c94535808e"}, {"url": "https://git.kernel.org/stable/c/0d59ce2bfc3bb13abe6240335a1bf7b96536d022"}, {"url": "https://git.kernel.org/stable/c/43d26997d88c4056fce0324e72f62556bc7e8e8d"}, {"url": "https://git.kernel.org/stable/c/981c845f29838e468a9bfa87f784307193a31297"}, {"url": "https://git.kernel.org/stable/c/87bfabb3b2f46827639173f143aa43f7cfc0a7e6"}, {"url": "https://git.kernel.org/stable/c/81278be4eb5f08ba2c68c3055893e61cc03727fe"}, {"url": "https://git.kernel.org/stable/c/9f9967fed9d066ed3dae9372b45ffa4f6fccfeef"}], "title": "soc: qcom: mdt_loader: Ensure we don't read past the ELF header", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: mdt_loader: Ensure we don't read past the ELF header\n\nWhen the MDT loader is used in remoteproc, the ELF header is sanitized\nbeforehand, but that's not necessary the case for other clients.\n\nValidate the size of the firmware buffer to ensure that we don't read\npast the end as we iterate over the header. e_phentsize and e_shentsize\nare validated as well, to ensure that the assumptions about step size in\nthe traversal are valid."}], "id": "CVE-2025-39787", "lastModified": "2025-09-11T17:15:44.907", "metrics": {}, "published": "2025-09-11T17:15:44.907", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0d59ce2bfc3bb13abe6240335a1bf7b96536d022"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1096eb63ecfc8df90b70cd068e6de0c2ff204dfd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/43d26997d88c4056fce0324e72f62556bc7e8e8d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/81278be4eb5f08ba2c68c3055893e61cc03727fe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/87bfabb3b2f46827639173f143aa43f7cfc0a7e6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/981c845f29838e468a9bfa87f784307193a31297"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9f9967fed9d066ed3dae9372b45ffa4f6fccfeef"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e1720eb32acf411c328af6a8c8f556c94535808e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: soc: qcom: mdt_loader: Ensure we don't read past the ELF header", "id": "2394649", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394649"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-39787", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-09-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-39787\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39787\nhttps://lore.kernel.org/linux-cve-announce/2025091151-CVE-2025-39787-227f@gregkh/T"], "threat_severity": "Low"}