CVE-2025-39836 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved:

efi: stmm: Fix incorrect buffer allocation method

The communication buffer allocated by setup_mm_hdr() is later on passed
to tee_shm_register_kernel_buf(). The latter expects those buffers to be
contiguous pages, but setup_mm_hdr() just uses kmalloc(). That can cause
various corruptions or BUGs, specifically since commit 9aec2fb0fd5e
("slab: allocate frozen pages"), though it was broken before as well.

Fix this by using alloc_pages_exact() instead of kmalloc().

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/630c0e6064daf84f17aad1a7d9ca76b562e3fe47
https://git.kernel.org/stable/c/77ff27ff0e4529a003c8a1c2492c111968c378d3
https://git.kernel.org/stable/c/c5e81e672699e0c5557b2b755cc8f7a69aa92bff

History

Tue, 16 Sep 2025 13:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: efi: stmm: Fix incorrect buffer allocation method The communication buffer allocated by setup_mm_hdr() is later on passed to tee_shm_register_kernel_buf(). The latter expects those buffers to be contiguous pages, but setup_mm_hdr() just uses kmalloc(). That can cause various corruptions or BUGs, specifically since commit 9aec2fb0fd5e ("slab: allocate frozen pages"), though it was broken before as well. Fix this by using alloc_pages_exact() instead of kmalloc().
Title		efi: stmm: Fix incorrect buffer allocation method
References		https://git.kernel.org/stable/c/630c0e6064daf84f17aad1a7d9ca76b562e3fe47 https://git.kernel.org/stable/c/77ff27ff0e4529a003c8a1c2492c111968c378d3 https://git.kernel.org/stable/c/c5e81e672699e0c5557b2b755cc8f7a69aa92bff

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-09-16T13:08:52.326Z

Updated: 2025-09-16T13:08:52.326Z

Reserved: 2025-04-16T07:20:57.141Z

Link: CVE-2025-39836

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-09-16T14:15:51.983

Modified: 2025-09-16T14:15:51.983

Link: CVE-2025-39836

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39836", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.141Z", "datePublished": "2025-09-16T13:08:52.326Z", "dateUpdated": "2025-09-16T13:08:52.326Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-16T13:08:52.326Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: stmm: Fix incorrect buffer allocation method\n\nThe communication buffer allocated by setup_mm_hdr() is later on passed\nto tee_shm_register_kernel_buf(). The latter expects those buffers to be\ncontiguous pages, but setup_mm_hdr() just uses kmalloc(). That can cause\nvarious corruptions or BUGs, specifically since commit 9aec2fb0fd5e\n(\"slab: allocate frozen pages\"), though it was broken before as well.\n\nFix this by using alloc_pages_exact() instead of kmalloc()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/firmware/efi/stmm/tee_stmm_efi.c"], "versions": [{"version": "c44b6be62e8dd4ee0a308c36a70620613e6fc55f", "lessThan": "77ff27ff0e4529a003c8a1c2492c111968c378d3", "status": "affected", "versionType": "git"}, {"version": "c44b6be62e8dd4ee0a308c36a70620613e6fc55f", "lessThan": "630c0e6064daf84f17aad1a7d9ca76b562e3fe47", "status": "affected", "versionType": "git"}, {"version": "c44b6be62e8dd4ee0a308c36a70620613e6fc55f", "lessThan": "c5e81e672699e0c5557b2b755cc8f7a69aa92bff", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/firmware/efi/stmm/tee_stmm_efi.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.45", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.5", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12.45"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.16.5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.17-rc4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/77ff27ff0e4529a003c8a1c2492c111968c378d3"}, {"url": "https://git.kernel.org/stable/c/630c0e6064daf84f17aad1a7d9ca76b562e3fe47"}, {"url": "https://git.kernel.org/stable/c/c5e81e672699e0c5557b2b755cc8f7a69aa92bff"}], "title": "efi: stmm: Fix incorrect buffer allocation method", "x_generator": {"engine": "bippy-1.2.0"}}}}