Vulnerability DatabaseCVE-2025-39954

CVE-2025-39954:
Linux Debian vulnerability analysis and mitigation

Overview

CVE-2025-39954 is a vulnerability discovered in the Linux kernel's clock subsystem, specifically in the sunxi-ng MP clock driver. The vulnerability was disclosed on October 9, 2025, affecting the dual-divider clock rate readback functionality (NVD, RedHat).

Technical details

The vulnerability stems from an implementation error in the .recalc_rate readback function where the P divider offset was omitted during the dual-divider clock support implementation. This oversight causes the clock rate calculations to become incorrect or potentially zero when the P divider is 1, leading to a possible divide-by-zero condition. The issue has been assigned a CVSS v3.1 base score of 5.5 with the vector string AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (RedHat).

Impact

The vulnerability can cause the clock rate to become bogus or zero, potentially affecting system stability and performance. The impact is primarily focused on availability, with no direct effects on confidentiality or integrity (NVD).

Mitigation and workarounds

The vulnerability has been fixed by incorporating the P divider offset into the calculation within the .recalc_rate readback function. The fix has been implemented in the Linux kernel, and various distributions have either patched their kernels or marked their versions as not affected (Ubuntu).

Additional resources

Source: This report was generated using AI

Related Linux Debian vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-61729	HIGH	7.5	Docker	golang-1.19	No	Yes	Dec 02, 2025
CVE-2025-66293	HIGH	7.1	OpenJDK JDK	java-25-openjdk-javadoc	No	No	Dec 03, 2025
CVE-2025-39665	MEDIUM	6.9	Linux Debian	nagvis	No	No	Dec 03, 2025
CVE-2025-61727	MEDIUM	6.5	Docker	docker	No	Yes	Dec 03, 2025
CVE-2025-66453	MEDIUM	5.5	Java	org.mozilla:rhino	No	Yes	Dec 03, 2025