CVE-2025-39741 in Linuxinfo

Summary

by MITRE • 09/11/2025

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/migrate: don't overflow max copy size

With non-page aligned copy, we need to use 4 byte aligned pitch, however the size itself might still be close to our maximum of ~8M, and so the dimensions of the copy can easily exceed the S16_MAX limit of the copy command leading to the following assert:

xe 0000:03:00.0: [drm] Assertion `size / pitch <= ((s16)(((u16)~0U) >> 1))` failed!
platform: BATTLEMAGE subplatform: 1 graphics: Xe2_HPG 20.01 step A0 media: Xe2_HPM 13.01 step A1 tile: 0 VRAM 10.0 GiB GT: 0 type 1

WARNING: CPU: 23 PID: 10605 at drivers/gpu/drm/xe/xe_migrate.c:673 emit_copy+0x4b5/0x4e0 [xe]

To fix this account for the pitch when calculating the number of current bytes to copy.

(cherry picked from commit 8c2d61e0e916e077fda7e7b8e67f25ffe0f361fc)

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 11/26/2025

The vulnerability CVE-2025-39741 affects the Linux kernel's graphics subsystem, specifically within the Intel Xe graphics driver implementation. This issue resides in the drm/xe/migrate component where memory copy operations are handled for graphics processing units. The flaw manifests when dealing with non-page aligned memory transfers that require 4-byte aligned pitch values, creating a scenario where the calculated copy dimensions can exceed system limits. The vulnerability represents a classic buffer overflow condition that occurs during graphics memory management operations, particularly impacting systems utilizing Intel Xe graphics hardware including Xe2_HPG and Xe2_HPM variants.

The technical root cause stems from improper calculation of memory copy parameters within the xe_migrate.c source file at line 673 in the emit_copy function. When processing non-page aligned data transfers, the system must maintain 4-byte alignment for pitch values while simultaneously managing copy sizes that can approach the theoretical maximum of approximately 8 megabytes. The flaw occurs because the system fails to properly account for pitch values when calculating the number of bytes to copy, leading to dimensional overflow that exceeds the S16_MAX limit. This assertion failure specifically targets the copy command's size parameter constraint where size divided by pitch exceeds the signed 16-bit maximum value, resulting in kernel panic conditions.

The operational impact of this vulnerability extends beyond simple system instability to potentially enable privilege escalation and denial of service conditions within graphics-intensive applications. Systems running the affected kernel versions with Intel Xe graphics hardware become susceptible to crashes during normal graphics operations, particularly when handling large or complex memory transfers. The vulnerability affects specific hardware configurations including BATTLEMAGE subplatforms with Xe2_HPG 20.01 step A0 and Xe2_HPM 13.01 step A1 graphics processors, making it particularly relevant for enterprise and workstation environments relying on Intel's latest graphics architectures. The assertion failure at the kernel level creates a critical point of failure that can compromise system stability and availability.

Mitigation strategies for this vulnerability involve applying the patched kernel version that implements proper pitch accounting during copy size calculations. The fix modifies the xe_migrate.c file to correctly handle the relationship between pitch and size parameters, ensuring that copy dimensions remain within acceptable limits. Organizations should prioritize kernel updates to address this issue, particularly in environments where graphics-intensive workloads are common. The vulnerability aligns with CWE-129 Input Validation and CWE-787 Out-of-bounds Write categories, representing a memory safety issue that could potentially be exploited to gain unauthorized access to system resources or cause system crashes. Security teams should monitor for potential exploitation attempts targeting graphics drivers and implement appropriate system hardening measures to prevent unauthorized access to graphics processing capabilities.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00128

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!