Linux Kernel up to 6.16.8 Qede Ethernet Driver p_hwfn return value

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
6.6$0-$5k0.00

Summaryinfo

A vulnerability marked as critical has been reported in Linux Kernel up to 6.16.8. The impacted element is the function p_hwfn of the component Qede Ethernet Driver. This manipulation causes return value. This vulnerability is tracked as CVE-2025-39949. No exploit exists. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability has been found in Linux Kernel up to 6.16.8 and classified as critical. Affected by this vulnerability is the function p_hwfn of the component Qede Ethernet Driver. The manipulation with an unknown input leads to a return value vulnerability. The CWE definition for the vulnerability is CWE-252. The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: qed: Don't collect too many protection override GRC elements In the protection override dump path, the firmware can return far too many GRC elements, resulting in attempting to write past the end of the previously-kmalloc'ed dump buffer. This will result in a kernel panic with reason: BUG: unable to handle kernel paging request at ADDRESS where "ADDRESS" is just past the end of the protection override dump buffer. The start address of the buffer is: p_hwfn->cdev->dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf and the size of the buffer is buf_size in the same data structure. The panic can be arrived at from either the qede Ethernet driver path: [exception RIP: qed_grc_dump_addr_range+0x108] qed_protection_override_dump at ffffffffc02662ed [qed] qed_dbg_protection_override_dump at ffffffffc0267792 [qed] qed_dbg_feature at ffffffffc026aa8f [qed] qed_dbg_all_data at ffffffffc026b211 [qed] qed_fw_fatal_reporter_dump at ffffffffc027298a [qed] devlink_health_do_dump at ffffffff82497f61 devlink_health_report at ffffffff8249cf29 qed_report_fatal_error at ffffffffc0272baf [qed] qede_sp_task at ffffffffc045ed32 [qede] process_one_work at ffffffff81d19783 or the qedf storage driver path: [exception RIP: qed_grc_dump_addr_range+0x108] qed_protection_override_dump at ffffffffc068b2ed [qed] qed_dbg_protection_override_dump at ffffffffc068c792 [qed] qed_dbg_feature at ffffffffc068fa8f [qed] qed_dbg_all_data at ffffffffc0690211 [qed] qed_fw_fatal_reporter_dump at ffffffffc069798a [qed] devlink_health_do_dump at ffffffff8aa95e51 devlink_health_report at ffffffff8aa9ae19 qed_report_fatal_error at ffffffffc0697baf [qed] qed_hw_err_notify at ffffffffc06d32d7 [qed] qed_spq_post at ffffffffc06b1011 [qed] qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed] qedf_cleanup_fcport at ffffffffc05e7597 [qedf] qedf_rport_event_handler at ffffffffc05e7bf7 [qedf] fc_rport_work at ffffffffc02da715 [libfc] process_one_work at ffffffff8a319663 Resolve this by clamping the firmware's return value to the maximum number of legal elements the firmware should return.

The advisory is shared at git.kernel.org. This vulnerability is known as CVE-2025-39949 since 04/16/2025. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 01/27/2026).

The vulnerability scanner Nessus provides a plugin with the ID 269447 (Linux Distros Unpatched Vulnerability : CVE-2025-39949), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 5.10.245, 5.15.194, 6.1.154, 6.6.108, 6.12.49 or 6.16.9 eliminates this vulnerability. Applying the patch 25672c620421fa2105703a94a29a03487245e6d6/e0e24571a7b2f8c8f06e25d3417253ebbdbc8d5c/8141910869596b7a3a5d9b46107da2191d523f82/ea53e6a47e148b490b1c652fc65d2de5a086df76/660b2a8f5a306a28c7efc1b4990ecc4912a68f87/70affe82e38fd3dc76b9c68b5a1989f11e7fa0f3/56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (269447) and CERT Bund (WID-SEC-2025-2194). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Affected

  • Google Container-Optimized OS
  • Debian Linux
  • Google Cloud Platform
  • Amazon Linux 2
  • Red Hat Enterprise Linux
  • Ubuntu Linux
  • SUSE Linux
  • Oracle Linux
  • SUSE openSUSE
  • Open Source Linux Kernel
  • RESF Rocky Linux
  • IBM QRadar SIEM

Productinfo

Type

Vendor

Name

Version

License

Website

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB Vector: 🔒
VulDB Reliability: 🔍

CVSSv3info

VulDB Meta Base Score: 6.8
VulDB Meta Temp Score: 6.6

VulDB Base Score: 8.0
VulDB Temp Score: 7.6
VulDB Vector: 🔒
VulDB Reliability: 🔍

NVD Base Score: 5.5
NVD Vector: 🔒

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock

VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍

Exploitinginfo

Class: Return value
CWE: CWE-252 / CWE-253
CAPEC: 🔒
ATT&CK: 🔒

Physical: Partially
Local: Yes
Remote: Partially

Availability: 🔒
Status: Not defined

EPSS Score: 🔒
EPSS Percentile: 🔒

Price Prediction: 🔍
Current Price Estimation: 🔒

0-DayUnlockUnlockUnlockUnlock
TodayUnlockUnlockUnlockUnlock

Nessus ID: 269447
Nessus Name: Linux Distros Unpatched Vulnerability : CVE-2025-39949

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Upgrade
Status: 🔍

0-Day Time: 🔒

Upgrade: Kernel 5.10.245/5.15.194/6.1.154/6.6.108/6.12.49/6.16.9
Patch: 25672c620421fa2105703a94a29a03487245e6d6/e0e24571a7b2f8c8f06e25d3417253ebbdbc8d5c/8141910869596b7a3a5d9b46107da2191d523f82/ea53e6a47e148b490b1c652fc65d2de5a086df76/660b2a8f5a306a28c7efc1b4990ecc4912a68f87/70affe82e38fd3dc76b9c68b5a1989f11e7fa0f3/56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37

Timelineinfo

04/16/2025 CVE reserved
10/04/2025 +171 days Advisory disclosed
10/04/2025 +0 days VulDB entry created
01/27/2026 +115 days VulDB entry last update

Sourcesinfo

Vendor: kernel.org

Advisory: git.kernel.org
Status: Confirmed

CVE: CVE-2025-39949 (🔒)
GCVE (CVE): GCVE-0-2025-39949
GCVE (VulDB): GCVE-100-327037
CERT Bund: WID-SEC-2025-2194 - Linux Kernel: Mehrere Schwachstellen

Entryinfo

Created: 10/04/2025 11:33
Updated: 01/27/2026 18:02
Changes: 10/04/2025 11:33 (59), 10/08/2025 19:51 (2), 11/24/2025 02:44 (7), 12/27/2025 00:10 (1), 01/27/2026 18:02 (11)
Complete: 🔍
Cache ID: 216::103

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion

No comments yet. Languages: en.

Please log in to comment.

PreviousOverviewNext

Want to know what is going to be exploited?

We predict KEV entries!