{"id":"CVE-2025-39810","summary":"bnxt_en: Fix memory corruption when FW resources change during ifdown","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix memory corruption when FW resources change during ifdown\n\nbnxt_set_dflt_rings() assumes that it is always called before any TC has\nbeen created.  So it doesn't take bp-\u003enum_tc into account and assumes\nthat it is always 0 or 1.\n\nIn the FW resource or capability change scenario, the FW will return\nflags in bnxt_hwrm_if_change() that will cause the driver to\nreinitialize and call bnxt_cancel_reservations().  This will lead to\nbnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp-\u003enum_tc\nmay be greater than 1.  This will cause bp-\u003etx_ring[] to be sized too\nsmall and cause memory corruption in bnxt_alloc_cp_rings().\n\nFix it by properly scaling the TX rings by bp-\u003enum_tc in the code\npaths mentioned above.  Add 2 helper functions to determine\nbp-\u003etx_nr_rings and bp-\u003etx_nr_rings_per_tc.","modified":"2026-03-20T12:43:03.612100Z","published":"2025-09-16T13:00:12.677Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3751-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4141-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39810.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2747328ba2714f1a7454208dbbc1dc0631990b4a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9ab6a9950f152e094395d2e3967f889857daa185"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d00e98977ef519280b075d783653e2c492fffbb6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39810.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39810"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ec5d31e3c15d5233b491400133c67f78a320062c"},{"fixed":"d00e98977ef519280b075d783653e2c492fffbb6"},{"fixed":"9ab6a9950f152e094395d2e3967f889857daa185"},{"fixed":"2747328ba2714f1a7454208dbbc1dc0631990b4a"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39810.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}