VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Sep 5, 2025· Updated May 12, 2026

CVE-2025-39724

CVE-2025-39724

Description

In the Linux kernel, the following vulnerability has been resolved:

serial: 8250: fix panic due to PSLVERR

When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled.

In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition.

When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle().

Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue.

Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in the Linux kernel's 8250 serial driver can cause a panic when reading an empty RBR with FIFO enabled and PSLVERR_RESP_EN set.

Vulnerability

Overview

CVE-2025-39724 is a race condition in the Linux kernel's 8250 serial driver that can lead to a kernel panic. The issue occurs when the PSLVERR_RESP_EN parameter is enabled, causing the device to generate an error response if an attempt is made to read an empty Receive Buffer Register (RBR) while the FIFO is enabled. During serial8250_do_startup(), a sequence of operations—writing to the Line Control Register (LCR), enabling the FIFO, and then reading the RBR—can trigger this condition. The race arises when another CPU is concurrently accessing the UART (e.g., via printk()), causing dw8250_check_lcr() to fail its check and enter dw8250_force_idle(), which ultimately leads to a panic [1][2].

Exploitation

Conditions

Exploitation requires the ability to trigger UART operations on a system where the affected driver is in use. The panic occurs during the startup sequence, so an attacker with local access or the ability to influence UART activity (e.g., through a malicious driver or user-space program) could potentially cause a denial of service. Siemens security advisories confirm that SIMATIC CN 4100 (all versions < V5.0) and SIMATIC S7-1500 CPU family (including related ET 200 CPUs and SIPLUS variants) are affected by this vulnerability [1][2].

Impact

The primary impact is a denial of service (system crash) due to the kernel panic. No privilege escalation or data leakage is described in the available sources. The panic backtrace shows the crash occurring in dw8250_serial_in32 during serial8250_do_startup() [1].

Mitigation

The fix has been applied in the Linux kernel stable tree via commits [3] and [4]. Siemens recommends updating affected products to the latest firmware versions that include the kernel patch [1][2]. Users of the Linux kernel should apply the corresponding stable updates to prevent the panic.

References
  1. SSA-032379
  2. SSA-082556
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelllm-fuzzy
    Range: >3.18 (approximate introduction of PSLVERR_RESP_EN) < fixed in commits
  • Linux/Linuxv5
    Range: 3.13

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

12

News mentions

1