CVE-2025-39726

EPSS 0.03%
Published 05.09.2025 17:27:19
Last modified 08.09.2025 16:25:38
Source 416baaa9-dc9f-4396-8d5f-8c081f
Teams watchlist Login
Open Login

In the Linux kernel, the following vulnerability has been resolved:

s390/ism: fix concurrency management in ism_cmd()

The s390x ISM device data sheet clearly states that only one
request-response sequence is allowable per ISM function at any point in
time.  Unfortunately as of today the s390/ism driver in Linux does not
honor that requirement. This patch aims to rectify that.

This problem was discovered based on Aliaksei's bug report which states
that for certain workloads the ISM functions end up entering error state
(with PEC 2 as seen from the logs) after a while and as a consequence
connections handled by the respective function break, and for future
connection requests the ISM device is not considered -- given it is in a
dysfunctional state. During further debugging PEC 3A was observed as
well.

A kernel message like
[ 1211.244319] zpci: 061a:00:00.0: Event 0x2 reports an error for PCI function 0x61a
is a reliable indicator of the stated function entering error state
with PEC 2. Let me also point out that a kernel message like
[ 1211.244325] zpci: 061a:00:00.0: The ism driver bound to the device does not support error recovery
is a reliable indicator that the ISM function won't be auto-recovered
because the ISM driver currently lacks support for it.

On a technical level, without this synchronization, commands (inputs to
the FW) may be partially or fully overwritten (corrupted) by another CPU
trying to issue commands on the same function. There is hard evidence that
this can lead to DMB token values being used as DMB IOVAs, leading to
PEC 2 PCI events indicating invalid DMA. But this is only one of the
failure modes imaginable. In theory even completely losing one command
and executing another one twice and then trying to interpret the outputs
as if the command we intended to execute was actually executed and not
the other one is also possible.  Frankly, I don't feel confident about
providing an exhaustive list of possible consequences.

Affected products Warnungen 0 Metrics 1 CWE 0 References 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorLinux

≫

Product Linux

Default Statusunaffected

Version < faf44487dfc80817f178dc8de7a0b73f960d019b

Version 684b89bc39ce4f204b1a2b180f39f2eb36a6b695

Status affected

Version < 1194ad0d44d66b273a02a3a22882dc863a68d764

Version 684b89bc39ce4f204b1a2b180f39f2eb36a6b695

Status affected

Version < fafaa4982bedb5532f5952000f714a3e63023f40

Version 684b89bc39ce4f204b1a2b180f39f2eb36a6b695

Status affected

Version < 897e8601b9cff1d054cdd53047f568b0e1995726

Version 684b89bc39ce4f204b1a2b180f39f2eb36a6b695

Status affected

VendorLinux

≫

Product Linux

Default Statusaffected

Version 4.19

Status affected

Version < 4.19

Version 0

Status unaffected

Version <= 6.6.*

Version 6.6.101

Status unaffected

Version <= 6.12.*

Version 6.12.41

Status unaffected

Version <= 6.15.*

Version 6.15.9

Status unaffected

Version <= *

Version 6.16

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.056

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string

https://git.kernel.org/stable/c/faf44487dfc80817f178dc8de7a0b73f960d019b

https://git.kernel.org/stable/c/1194ad0d44d66b273a02a3a22882dc863a68d764

https://git.kernel.org/stable/c/fafaa4982bedb5532f5952000f714a3e63023f40

https://git.kernel.org/stable/c/897e8601b9cff1d054cdd53047f568b0e1995726

https://nvd.nist.gov/vuln/detail/CVE-2025-39726

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-39726

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-39726

EUVD