CVE-2025-39778: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel was discovered and assigned CVE-2025-39778, specifically affecting the nvmetctrlstate_show() function. The issue was disclosed on April 18, 2025, and involves an out-of-bounds stack access vulnerability in the kernel's objtool and nvmet components (NVD Database).

The vulnerability stems from an array bounds issue where the cstsstatenames[] array contains six sparse entries, but the iteration code in nvmetctrlstateshow() attempts to iterate seven times, potentially resulting in an out-of-bounds stack read. This issue was identified through an UBSAN kernel warning: 'vmlinux.o: warning: objtool: .text.nvmetctrlstateshow: unexpected end of section'. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat CVE).

The vulnerability has been classified as having a Low severity impact. While it allows for an out-of-bounds stack read, the impact is limited to availability concerns with no direct impact on confidentiality or integrity (Red Hat CVE).

The vulnerability has been fixed in various Linux kernel versions. Debian has addressed this in version 6.12.25-1 for sid, while some distributions like Red Hat Enterprise Linux 6, 7, 8, and 9 are not affected by this vulnerability (Debian Tracker).