CVE-2025-39778

objtool, nvmet: Fix out-of-bounds stack access in nvmet_ctrl_state_show()

Description

In the Linux kernel, the following vulnerability has been resolved: objtool, nvmet: Fix out-of-bounds stack access in nvmet_ctrl_state_show() The csts_state_names[] array only has six sparse entries, but the iteration code in nvmet_ctrl_state_show() iterates seven, resulting in a potential out-of-bounds stack read. Fix that. Fixes the following warning with an UBSAN kernel: vmlinux.o: warning: objtool: .text.nvmet_ctrl_state_show: unexpected end of section

Category

7.1
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.01%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/1adc93a525fdee8e2b311e6d5fd93eb69714ca05 patch
https://git.kernel.org/stable/c/8fbf37a3577b4d64c150cafde338eee17b2f2ea4 patch
https://git.kernel.org/stable/c/0cc0efc58d6c741b2868d4af24874d7fec28a575 patch
https://git.kernel.org/stable/c/107a23185d990e3df6638d9a84c835f963fe30a6 patch

Frequently Asked Questions

What is the severity of CVE-2025-39778?
CVE-2025-39778 has been scored as a high severity vulnerability.
How to fix CVE-2025-39778?
To fix CVE-2025-39778, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-39778 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-39778 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-39778?
CVE-2025-39778 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.