CVE-2025-39836

HIGH

Linux Kernel - Out-of-bounds Write in EFI STMM Buffer Allocation

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: efi: stmm: Fix incorrect buffer allocation method The communication buffer allocated by setup_mm_hdr() is later on passed to tee_shm_register_kernel_buf(). The latter expects those buffers to be contiguous pages, but setup_mm_hdr() just uses kmalloc(). That can cause various corruptions or BUGs, specifically since commit 9aec2fb0fd5e ("slab: allocate frozen pages"), though it was broken before as well. Fix this by using alloc_pages_exact() instead of kmalloc().

References (3)

Core 3

Core References

Patch

https://git.kernel.org/stable/c/77ff27ff0e4529a003c8a1c2492c111968c378d3

Patch

https://git.kernel.org/stable/c/630c0e6064daf84f17aad1a7d9ca76b562e3fe47

Patch

https://git.kernel.org/stable/c/c5e81e672699e0c5557b2b755cc8f7a69aa92bff

Scores

CVSS v3 7.8

EPSS 0.0014

EPSS Percentile 3.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-787

Status published

Products (12)

linux/Kernel 6.13.0 - 6.16.5linux

linux/Kernel 6.8.0 - 6.12.45linux

Linux/Linux < 6.8

Linux/Linux 6.12.45 - 6.12.*

Linux/Linux 6.16.5 - 6.16.*

Linux/Linux 6.17

Linux/Linux 6.8

Linux/Linux c44b6be62e8dd4ee0a308c36a70620613e6fc55f - 630c0e6064daf84f17aad1a7d9ca76b562e3fe47

Linux/Linux c44b6be62e8dd4ee0a308c36a70620613e6fc55f - 77ff27ff0e4529a003c8a1c2492c111968c378d3

Linux/Linux c44b6be62e8dd4ee0a308c36a70620613e6fc55f - c5e81e672699e0c5557b2b755cc8f7a69aa92bff

... and 2 more

Published Sep 16, 2025

Tracked Since Feb 18, 2026