{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"MEDIUM" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix Rx page leak on multi-buffer frames\n\nThe ice_put_rx_mbuf() function handles calling ice_put_rx_buf() for each\nbuffer in the current frame. This function was introduced as part of\nhandling multi-buffer XDP support in the ice driver.\n\nIt works by iterating over the buffers from first_desc up to 1 plus the\ntotal number of fragments in the frame, cached from before the XDP program\nwas executed.\n\nIf the hardware posts a descriptor with a size of 0, the logic used in\nice_put_rx_mbuf() breaks. Such descriptors get skipped and don't get added\nas fragments in ice_add_xdp_frag. Since the buffer isn't counted as a\nfragment, we do not iterate over it in ice_put_rx_mbuf(), and thus we don't\ncall ice_put_rx_buf().\n\nBecause we don't call ice_put_rx_buf(), we don't attempt to re-use the\npage or free it. This leaves a stale page in the ring, as we don't\nincrement next_to_alloc.\n\nThe ice_reuse_rx_page() assumes that the next_to_alloc has been incremented\nproperly, and that it always points to a buffer with a NULL page. Since\nthis function doesn't check, it will happily recycle a page over the top\nof the next_to_alloc buffer, losing track of the old page.\n\nNote that this leak only occurs for multi-buffer frames. The\nice_put_rx_mbuf() function always handles at least one buffer, so a\nsingle-buffer frame will always get handled correctly. It is not clear\nprecisely why the hardware hands us descriptors with a size of 0 sometimes,\nbut it happens somewhat regularly with \"jumbo frames\" used by 9K MTU.\n\nTo fix ice_put_rx_mbuf(), we need to make sure to call ice_put_rx_buf() on\nall buffers between first_desc and next_to_clean. Borrow the logic of a\nsimilar function in i40e used for this same purpose. Use the same logic\nalso in ice_get_pgcnts().\n\nInstead of iterating over just the number of fragments, use a loop which\niterates until the current index reaches to the next_to_clean element just\npast the current frame. Unlike i40e, the ice_put_rx_mbuf() function does\ncall ice_put_rx_buf() on the last buffer of the frame indicating the end of\npacket.\n\nFor non-linear (multi-buffer) frames, we need to take care when adjusting\nthe pagecnt_bias. An XDP program might release fragments from the tail of\nthe frame, in which case that fragment page is already released. Only\nupdate the pagecnt_bias for the first descriptor and fragments still\nremaining post-XDP program. Take care to only access the shared info for\nfragmented buffers, as this avoids a significant cache miss.\n\nThe xdp_xmit value only needs to be updated if an XDP program is run, and\nonly once per packet. Drop the xdp_xmit pointer argument from\nice_put_rx_mbuf(). Instead, set xdp_xmit in the ice_clean_rx_irq() function\ndirectly. This avoids needing to pass the argument and avoids an extra\nbit-wise OR for each buffer in the frame.\n\nMove the increment of the ntc local variable to ensure its updated *before*\nall calls to ice_get_pgcnts() or ice_put_rx_mbuf(), as the loop logic\nrequires the index of the element just after the current frame.\n\nNow that we use an index pointer in the ring to identify the packet, we no\nlonger need to track or cache the number of fragments in the rx_ring.", "category":"general", "title":"Synopsis" } ], "publisher":null, "references":[ { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39948" }, { "summary":"CVE-2025-39948 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/cve/2025/csaf-openeuler-cve-2025-39948.json" }, { "summary":"openEuler-SA-2026-1570", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1570" }, { "summary":"CVE-2025-39948", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-39948&packageName=kernel" } ], "title":"openEuler cve CVE-2025-39948", "tracking":{ "initial_release_date":"2026-03-17T09:39:50+08:00", "revision_history":[ { "date":"2026-03-17T09:39:50+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-03-17T09:39:50+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-03-17T09:39:50+08:00", "id":"CVE-2025-39948", "version":"1.0.0", "status":"interim" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"openEuler-24.03-LTS", "name":"openEuler-24.03-LTS" }, "name":"openEuler-24.03-LTS", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"bpftool-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"bpftool-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"bpftool-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"bpftool-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"bpftool-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"bpftool-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"kernel-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"kernel-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"kernel-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"kernel-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-debugsource-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"kernel-debugsource-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"kernel-debugsource-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-devel-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"kernel-devel-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"kernel-devel-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-headers-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"kernel-headers-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"kernel-headers-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-source-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"kernel-source-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"kernel-source-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-tools-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"kernel-tools-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"kernel-tools-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-tools-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"kernel-tools-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"kernel-tools-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-tools-devel-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"kernel-tools-devel-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"kernel-tools-devel-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"perf-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"perf-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"perf-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"perf-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"perf-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"perf-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python3-perf-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"python3-perf-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"python3-perf-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python3-perf-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "name":"python3-perf-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm" }, "name":"python3-perf-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"bpftool-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"bpftool-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"bpftool-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"bpftool-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"bpftool-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"bpftool-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"kernel-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"kernel-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"kernel-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"kernel-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-debugsource-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"kernel-debugsource-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"kernel-debugsource-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-devel-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"kernel-devel-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"kernel-devel-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-headers-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"kernel-headers-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"kernel-headers-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-source-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"kernel-source-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"kernel-source-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-tools-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"kernel-tools-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"kernel-tools-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-tools-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"kernel-tools-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"kernel-tools-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-tools-devel-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"kernel-tools-devel-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"kernel-tools-devel-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"perf-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"perf-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"perf-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"perf-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"perf-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"perf-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python3-perf-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"python3-perf-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"python3-perf-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python3-perf-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "name":"python3-perf-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm" }, "name":"python3-perf-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"kernel-6.6.0-142.0.0.124.oe2403.src.rpm", "name":"kernel-6.6.0-142.0.0.124.oe2403.src.rpm" }, "name":"kernel-6.6.0-142.0.0.124.oe2403.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"bpftool-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:bpftool-6.6.0-142.0.0.124.oe2403.aarch64", "name":"bpftool-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"bpftool-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:bpftool-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64", "name":"bpftool-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-6.6.0-142.0.0.124.oe2403.aarch64", "name":"kernel-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64", "name":"kernel-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-debugsource-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-debugsource-6.6.0-142.0.0.124.oe2403.aarch64", "name":"kernel-debugsource-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-devel-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-devel-6.6.0-142.0.0.124.oe2403.aarch64", "name":"kernel-devel-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-headers-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-headers-6.6.0-142.0.0.124.oe2403.aarch64", "name":"kernel-headers-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-source-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-source-6.6.0-142.0.0.124.oe2403.aarch64", "name":"kernel-source-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-tools-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-tools-6.6.0-142.0.0.124.oe2403.aarch64", "name":"kernel-tools-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-tools-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-tools-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64", "name":"kernel-tools-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-tools-devel-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-tools-devel-6.6.0-142.0.0.124.oe2403.aarch64", "name":"kernel-tools-devel-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"perf-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:perf-6.6.0-142.0.0.124.oe2403.aarch64", "name":"perf-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"perf-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:perf-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64", "name":"perf-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python3-perf-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python3-perf-6.6.0-142.0.0.124.oe2403.aarch64", "name":"python3-perf-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python3-perf-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python3-perf-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64", "name":"python3-perf-debuginfo-6.6.0-142.0.0.124.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"bpftool-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:bpftool-6.6.0-142.0.0.124.oe2403.x86_64", "name":"bpftool-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"bpftool-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:bpftool-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64", "name":"bpftool-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-6.6.0-142.0.0.124.oe2403.x86_64", "name":"kernel-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64", "name":"kernel-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-debugsource-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-debugsource-6.6.0-142.0.0.124.oe2403.x86_64", "name":"kernel-debugsource-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-devel-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-devel-6.6.0-142.0.0.124.oe2403.x86_64", "name":"kernel-devel-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-headers-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-headers-6.6.0-142.0.0.124.oe2403.x86_64", "name":"kernel-headers-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-source-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-source-6.6.0-142.0.0.124.oe2403.x86_64", "name":"kernel-source-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-tools-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-tools-6.6.0-142.0.0.124.oe2403.x86_64", "name":"kernel-tools-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-tools-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-tools-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64", "name":"kernel-tools-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-tools-devel-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-tools-devel-6.6.0-142.0.0.124.oe2403.x86_64", "name":"kernel-tools-devel-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"perf-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:perf-6.6.0-142.0.0.124.oe2403.x86_64", "name":"perf-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"perf-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:perf-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64", "name":"perf-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python3-perf-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python3-perf-6.6.0-142.0.0.124.oe2403.x86_64", "name":"python3-perf-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python3-perf-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python3-perf-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64", "name":"python3-perf-debuginfo-6.6.0-142.0.0.124.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"kernel-6.6.0-142.0.0.124.oe2403.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:kernel-6.6.0-142.0.0.124.oe2403.src", "name":"kernel-6.6.0-142.0.0.124.oe2403.src as a component of openEuler-24.03-LTS" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-39948", "notes":[ { "text":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix Rx page leak on multi-buffer frames\n\nThe ice_put_rx_mbuf() function handles calling ice_put_rx_buf() for each\nbuffer in the current frame. This function was introduced as part of\nhandling multi-buffer XDP support in the ice driver.\n\nIt works by iterating over the buffers from first_desc up to 1 plus the\ntotal number of fragments in the frame, cached from before the XDP program\nwas executed.\n\nIf the hardware posts a descriptor with a size of 0, the logic used in\nice_put_rx_mbuf() breaks. Such descriptors get skipped and don't get added\nas fragments in ice_add_xdp_frag. Since the buffer isn't counted as a\nfragment, we do not iterate over it in ice_put_rx_mbuf(), and thus we don't\ncall ice_put_rx_buf().\n\nBecause we don't call ice_put_rx_buf(), we don't attempt to re-use the\npage or free it. This leaves a stale page in the ring, as we don't\nincrement next_to_alloc.\n\nThe ice_reuse_rx_page() assumes that the next_to_alloc has been incremented\nproperly, and that it always points to a buffer with a NULL page. Since\nthis function doesn't check, it will happily recycle a page over the top\nof the next_to_alloc buffer, losing track of the old page.\n\nNote that this leak only occurs for multi-buffer frames. The\nice_put_rx_mbuf() function always handles at least one buffer, so a\nsingle-buffer frame will always get handled correctly. It is not clear\nprecisely why the hardware hands us descriptors with a size of 0 sometimes,\nbut it happens somewhat regularly with \"jumbo frames\" used by 9K MTU.\n\nTo fix ice_put_rx_mbuf(), we need to make sure to call ice_put_rx_buf() on\nall buffers between first_desc and next_to_clean. Borrow the logic of a\nsimilar function in i40e used for this same purpose. Use the same logic\nalso in ice_get_pgcnts().\n\nInstead of iterating over just the number of fragments, use a loop which\niterates until the current index reaches to the next_to_clean element just\npast the current frame. Unlike i40e, the ice_put_rx_mbuf() function does\ncall ice_put_rx_buf() on the last buffer of the frame indicating the end of\npacket.\n\nFor non-linear (multi-buffer) frames, we need to take care when adjusting\nthe pagecnt_bias. An XDP program might release fragments from the tail of\nthe frame, in which case that fragment page is already released. Only\nupdate the pagecnt_bias for the first descriptor and fragments still\nremaining post-XDP program. Take care to only access the shared info for\nfragmented buffers, as this avoids a significant cache miss.\n\nThe xdp_xmit value only needs to be updated if an XDP program is run, and\nonly once per packet. Drop the xdp_xmit pointer argument from\nice_put_rx_mbuf(). Instead, set xdp_xmit in the ice_clean_rx_irq() function\ndirectly. This avoids needing to pass the argument and avoids an extra\nbit-wise OR for each buffer in the frame.\n\nMove the increment of the ntc local variable to ensure its updated *before*\nall calls to ice_get_pgcnts() or ice_put_rx_mbuf(), as the loop logic\nrequires the index of the element just after the current frame.\n\nNow that we use an index pointer in the ring to identify the packet, we no\nlonger need to track or cache the number of fragments in the rx_ring.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":{ "$ref":"$.vulnerabilities[0].product_status.fixed" } }, "remediations":[ { "product_ids":{ "$ref":"$.vulnerabilities[0].product_status.fixed" }, "details":"kernel security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1570" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.5, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":{ "$ref":"$.vulnerabilities[0].product_status.fixed" } } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-39948" } ] }