Bug 2394649 (CVE-2025-39787)

Summary: CVE-2025-39787 kernel: Linux kernel: Denial of Service in MDT loader due to improper ELF header validation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's soc: qcom: mdt_loader component. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by providing a specially crafted firmware buffer. The flaw occurs because the MDT loader does not sufficiently validate the size of the ELF header and its section entry sizes (e_phentsize and e_shentsize), leading to a read past the end of the buffer.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-09-11 17:04:46 UTC 
In the Linux kernel, the following vulnerability has been resolved:

soc: qcom: mdt_loader: Ensure we don't read past the ELF header

When the MDT loader is used in remoteproc, the ELF header is sanitized
beforehand, but that's not necessary the case for other clients.

Validate the size of the firmware buffer to ensure that we don't read
past the end as we iterate over the header. e_phentsize and e_shentsize
are validated as well, to ensure that the assumptions about step size in
the traversal are valid.
Comment 1 Mauro Matteo Cascella 2025-09-15 07:39:50 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091151-CVE-2025-39787-227f@gregkh/T