{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39788", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.131Z", "datePublished": "2025-09-11T16:56:37.173Z", "dateUpdated": "2025-09-11T16:56:37.173Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-11T16:56:37.173Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE\n\nOn Google gs101, the number of UTP transfer request slots (nutrs) is 32,\nand in this case the driver ends up programming the UTRL_NEXUS_TYPE\nincorrectly as 0.\n\nThis is because the left hand side of the shift is 1, which is of type\nint, i.e. 31 bits wide. Shifting by more than that width results in\nundefined behaviour.\n\nFix this by switching to the BIT() macro, which applies correct type\ncasting as required. This ensures the correct value is written to\nUTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift\nwarning:\n\n UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21\n shift exponent 32 is too large for 32-bit type 'int'\n\nFor consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE\nwrite."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/ufs/host/ufs-exynos.c"], "versions": [{"version": "55f4b1f73631a0817717fe6e98517de51b4c3527", "lessThan": "01510a9e8222f11cce064410f3c2fcf0756c0a08", "status": "affected", "versionType": "git"}, {"version": "55f4b1f73631a0817717fe6e98517de51b4c3527", "lessThan": "098b2c8ee208c77126839047b9e6e1925bb35baa", "status": "affected", "versionType": "git"}, {"version": "55f4b1f73631a0817717fe6e98517de51b4c3527", "lessThan": "c1f025da8f370a015e412b55cbcc583f91de8316", "status": "affected", "versionType": "git"}, {"version": "55f4b1f73631a0817717fe6e98517de51b4c3527", "lessThan": "6d53b2a134da77eb7fe65c5c7c7a3c193539a78a", "status": "affected", "versionType": "git"}, {"version": "55f4b1f73631a0817717fe6e98517de51b4c3527", "lessThan": "dc8fb963742f1a38d284946638f9358bdaa0ddee", "status": "affected", "versionType": "git"}, {"version": "55f4b1f73631a0817717fe6e98517de51b4c3527", "lessThan": "5b9f1ef293428ea9c0871d96fcec2a87c4445832", "status": "affected", "versionType": "git"}, {"version": "55f4b1f73631a0817717fe6e98517de51b4c3527", "lessThan": "01aad16c2257ab8ff33b152b972c9f2e1af47912", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/ufs/host/ufs-exynos.c"], "versions": [{"version": "5.9", "status": "affected"}, {"version": "0", "lessThan": "5.9", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.241", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.190", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.149", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.103", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.44", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.4", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "5.10.241"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "5.15.190"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.1.149"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.6.103"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.12.44"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.16.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.17-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/01510a9e8222f11cce064410f3c2fcf0756c0a08"}, {"url": "https://git.kernel.org/stable/c/098b2c8ee208c77126839047b9e6e1925bb35baa"}, {"url": "https://git.kernel.org/stable/c/c1f025da8f370a015e412b55cbcc583f91de8316"}, {"url": "https://git.kernel.org/stable/c/6d53b2a134da77eb7fe65c5c7c7a3c193539a78a"}, {"url": "https://git.kernel.org/stable/c/dc8fb963742f1a38d284946638f9358bdaa0ddee"}, {"url": "https://git.kernel.org/stable/c/5b9f1ef293428ea9c0871d96fcec2a87c4445832"}, {"url": "https://git.kernel.org/stable/c/01aad16c2257ab8ff33b152b972c9f2e1af47912"}], "title": "scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE\n\nOn Google gs101, the number of UTP transfer request slots (nutrs) is 32,\nand in this case the driver ends up programming the UTRL_NEXUS_TYPE\nincorrectly as 0.\n\nThis is because the left hand side of the shift is 1, which is of type\nint, i.e. 31 bits wide. Shifting by more than that width results in\nundefined behaviour.\n\nFix this by switching to the BIT() macro, which applies correct type\ncasting as required. This ensures the correct value is written to\nUTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift\nwarning:\n\n UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21\n shift exponent 32 is too large for 32-bit type 'int'\n\nFor consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE\nwrite."}], "id": "CVE-2025-39788", "lastModified": "2025-09-11T17:15:45.070", "metrics": {}, "published": "2025-09-11T17:15:45.070", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/01510a9e8222f11cce064410f3c2fcf0756c0a08"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/01aad16c2257ab8ff33b152b972c9f2e1af47912"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/098b2c8ee208c77126839047b9e6e1925bb35baa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5b9f1ef293428ea9c0871d96fcec2a87c4445832"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6d53b2a134da77eb7fe65c5c7c7a3c193539a78a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c1f025da8f370a015e412b55cbcc583f91de8316"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dc8fb963742f1a38d284946638f9358bdaa0ddee"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}