{"id":"CVE-2025-39790","summary":"bus: mhi: host: Detect events pointing to unexpected TREs","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Detect events pointing to unexpected TREs\n\nWhen a remote device sends a completion event to the host, it contains a\npointer to the consumed TRE. The host uses this pointer to process all of\nthe TREs between it and the host's local copy of the ring's read pointer.\nThis works when processing completion for chained transactions, but can\nlead to nasty results if the device sends an event for a single-element\ntransaction with a read pointer that is multiple elements ahead of the\nhost's read pointer.\n\nFor instance, if the host accesses an event ring while the device is\nupdating it, the pointer inside of the event might still point to an old\nTRE. If the host uses the channel's xfer_cb() to directly free the buffer\npointed to by the TRE, the buffer will be double-freed.\n\nThis behavior was observed on an ep that used upstream EP stack without\n'commit 6f18d174b73d (\"bus: mhi: ep: Update read pointer only after buffer\nis written\")'. Where the device updated the events ring pointer before\nupdating the event contents, so it left a window where the host was able to\naccess the stale data the event pointed to, before the device had the\nchance to update them. The usual pattern was that the host received an\nevent pointing to a TRE that is not immediately after the last processed\none, so it got treated as if it was a chained transaction, processing all\nof the TREs in between the two read pointers.\n\nThis commit aims to harden the host by ensuring transactions where the\nevent points to a TRE that isn't local_rp + 1 are chained.\n\n[mani: added stable tag and reworded commit message]","modified":"2026-04-21T18:42:02.757687650Z","published":"2025-09-11T16:56:38.643Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03615-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3751-1","SUSE-SU-2025:3761-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4141-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39790.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2ec99b922f4661521927eeada76f431eebfbabc4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4079c6c59705b96285219b9efc63cab870d757b7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/44e1a079e18f78d6594a715b0c6d7e18c656f7b9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5bd398e20f0833ae8a1267d4f343591a2dd20185"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5e17429679a8545afe438ce7a82a13a54e8ceabb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7b3f0e3b60c27f4fcb69927d84987e5fd6240530"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39790.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39790"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1d3173a3bae7039b765a0956e3e4bf846dbaacb8"},{"fixed":"7b3f0e3b60c27f4fcb69927d84987e5fd6240530"},{"fixed":"4079c6c59705b96285219b9efc63cab870d757b7"},{"fixed":"5e17429679a8545afe438ce7a82a13a54e8ceabb"},{"fixed":"2ec99b922f4661521927eeada76f431eebfbabc4"},{"fixed":"44e1a079e18f78d6594a715b0c6d7e18c656f7b9"},{"fixed":"5bd398e20f0833ae8a1267d4f343591a2dd20185"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39790.json"}}],"schema_version":"1.7.5"}