CVE-2025-39787
Description
In the Linux kernel, the following vulnerability has been resolved:
soc: qcom: mdt_loader: Ensure we don't read past the ELF header
When the MDT loader is used in remoteproc, the ELF header is sanitized beforehand, but that's not necessary the case for other clients.
Validate the size of the firmware buffer to ensure that we don't read past the end as we iterate over the header. e_phentsize and e_shentsize are validated as well, to ensure that the assumptions about step size in the traversal are valid.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's Qualcomm MDT loader, missing ELF header size validation could cause out-of-bounds reads when processing firmware.
The vulnerability resides in the Qualcomm mdt_loader driver within the Linux kernel. The loader iterates over the ELF header of a firmware image to locate program and section headers. The patch description states that while the remoteproc subsystem sanitizes the ELF header beforehand, other clients may not. Without a validation of the firmware buffer size against the header fields e_phentsize and e_shentsize, the traversal could read past the end of the allocated buffer. [1]
An attacker who can supply a crafted firmware image to a kernel component that invokes the MDT loader could trigger an out-of-bounds read. The attack does not require authentication if the attacker can control the firmware blob (e.g., via a malicious module or file system). The prerequisite is that the kernel must call the vulnerable functions without having pre-validated the header. [1]
The impact is that the kernel may read memory beyond the firmware buffer, potentially causing an information leak (disclosure of sensitive kernel memory) or a system crash (denial of service). The CVSS v3 base score of 5.5 reflects a medium severity with primarily confidentiality and availability impacts. [1]
A fix has been committed to the Linux kernel stable trees. The patch adds checks to ensure that the ELF header and its sub-fields fit within the firmware buffer before iterating. Users should apply the latest kernel updates. Siemens has listed this CVE among many others affecting their industrial products, indicating that a kernel update is the recommended remediation for those platforms. [1][2]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 4.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- git.kernel.org/stable/c/0d59ce2bfc3bb13abe6240335a1bf7b96536d022nvdPatch
- git.kernel.org/stable/c/1096eb63ecfc8df90b70cd068e6de0c2ff204dfdnvdPatch
- git.kernel.org/stable/c/43d26997d88c4056fce0324e72f62556bc7e8e8dnvdPatch
- git.kernel.org/stable/c/81278be4eb5f08ba2c68c3055893e61cc03727fenvdPatch
- git.kernel.org/stable/c/87bfabb3b2f46827639173f143aa43f7cfc0a7e6nvdPatch
- git.kernel.org/stable/c/981c845f29838e468a9bfa87f784307193a31297nvdPatch
- git.kernel.org/stable/c/9f9967fed9d066ed3dae9372b45ffa4f6fccfeefnvdPatch
- git.kernel.org/stable/c/e1720eb32acf411c328af6a8c8f556c94535808envdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlnvdThird Party Advisory
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
- cert-portal.siemens.com/productcert/html/ssa-082556.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories