CVE-2025-39869: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-39869 was published on September 23, 2025, affecting the Linux kernel's DMA engine, specifically the TI EDMA driver. The vulnerability stems from a critical memory allocation bug in the edma_setup_from_hw() function where queue_priority_map was allocated with insufficient memory (NVD).

The vulnerability involves a memory allocation size mismatch where queue_priority_map was declared as s8 (*)[2] (pointer to array of 2 s8), but memory was allocated using sizeof(s8) instead of the correct array size. This caused out-of-bounds memory writes when accessing queue_priority_map[i][0] = i and queue_priority_map[i][1] = i. The issue manifested as kernel crashes with "Oops - undefined instruction" specifically on ARM platforms like BeagleBoard-X15 during EDMA driver probe, as the memory corruption triggered kernel hardening features on Clang (NVD).

The vulnerability primarily affects ARM platforms running the Linux kernel with the TI EDMA driver. When triggered, it causes kernel crashes with "Oops - undefined instruction" messages, potentially leading to system instability and denial of service conditions (NVD).

The fix involves changing the allocation to use sizeof(*queue_priority_map) which automatically gets the correct size for the 2D array structure. This patch has been integrated into various Linux distributions, with Debian's bookworm (security) version 6.1.153-1 and trixie (security) version 6.12.48-1 containing the fix (Debian Tracker).