Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-39728

CVE-2025-39728: Linux Kernel Buffer Overflow Vulnerability

CVE-2025-39728 is a buffer overflow flaw in the Linux kernel's Samsung clock driver that triggers a UBSAN panic. This article covers the technical details, affected versions, security impact, and mitigation strategies.

Updated:

CVE-2025-39728 Overview

CVE-2025-39728 is a Linux kernel vulnerability in the Samsung clock driver (clk: samsung). The flaw resides in the samsung_clk_init() function, which dereferences ctx->clk_data.hws before assigning ctx->clk_data.num = nr_clks. When the kernel is built with UBSAN_ARRAY_BOUNDS=y, the Undefined Behavior Sanitizer detects an out-of-bounds array index and triggers a kernel panic. The issue affects Samsung SoC platforms, including Google's gs101 (Tensor) and Exynos ARM64 systems. Exploitation requires local access with low privileges and results in denial of service through kernel panic. The vulnerability is tracked under CWE-129: Improper Validation of Array Index.

Critical Impact

A local low-privileged user on affected Samsung SoC hardware can trigger a kernel panic during clock subsystem initialization, resulting in system unavailability.

Affected Products

  • Linux Kernel (Samsung clock driver, drivers/clk/samsung/)
  • Samsung Exynos ARM64 platforms using exynos_arm64_register_cmu
  • Google gs101 (Tensor) SoC platforms invoking __gs101_cmu_top_of_clk_init_declare

Discovery Timeline

  • 2025-04-18 - CVE-2025-39728 published to NVD
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2025-39728

Vulnerability Analysis

The vulnerability lives in samsung_clk_init() within the Samsung clock controller driver. The function initializes the clk_data structure used to register clock hardware descriptors. The original code accessed ctx->clk_data.hws array entries before setting ctx->clk_data.num to the actual clock count nr_clks. With num still zero at that point, any indexed write into hws[] exceeds the declared bounds.

The Undefined Behavior Sanitizer (UBSAN) detects this out-of-bounds access at runtime when CONFIG_UBSAN_ARRAY_BOUNDS=y is enabled. The result is the panic message UBSAN: array index out of bounds: 00000000f2005512, followed by a call trace originating in samsung_clk_init+0x110/0x124, then samsung_cmu_register_one, exynos_arm64_register_cmu, and finally __gs101_cmu_top_of_clk_init_declare.

Root Cause

The defect is an ordering bug: ctx->clk_data.num = nr_clks was assigned after array element initialization rather than before. The fix moves the num assignment ahead of the loop that writes into hws[], ensuring the bounds field correctly reflects array size during initialization.

Attack Vector

Exploitation is local and triggered automatically during boot or clock controller registration on affected Samsung SoC hardware. The attacker does not need an active exploit chain. Any system that boots a vulnerable kernel with UBSAN array bounds checking enabled will panic. The flaw is classified as availability-only impact with no confidentiality or integrity loss.

The vulnerability manifests in the boundary handling of the clk_data structure during driver initialization. See the kernel commit reference for the upstream patch.

Detection Methods for CVE-2025-39728

Indicators of Compromise

  • Kernel panic log entries containing UBSAN: array index out of bounds referencing samsung_clk_init
  • Call traces including samsung_cmu_register_one and exynos_arm64_register_cmu followed by system halt
  • Repeated boot failures on Samsung Exynos or Google Tensor (gs101) hardware after a kernel update

Detection Strategies

  • Inventory kernel versions across Samsung-based Linux systems and compare against the patched stable branches listed in kernel.org commit references
  • Audit kernel build configurations for CONFIG_UBSAN_ARRAY_BOUNDS=y combined with the Samsung clock driver enabled
  • Review serial console logs and dmesg archives for UBSAN warnings citing clk/samsung paths

Monitoring Recommendations

  • Forward kernel dmesg and journal logs to a centralized logging platform to alert on UBSAN and samsung_clk_init strings
  • Track unexpected reboots and boot loops on Samsung Exynos and gs101 devices through host availability monitoring
  • Subscribe to upstream stable kernel and distribution security feeds, including the Debian LTS announcement

How to Mitigate CVE-2025-39728

Immediate Actions Required

  • Apply the upstream stable kernel patch that reorders the ctx->clk_data.num assignment in samsung_clk_init()
  • Update to a distribution kernel package that includes the fix, such as those referenced in the Debian LTS announcement #45
  • Reboot affected Samsung SoC systems after patching to load the corrected clock driver

Patch Information

The fix is available across multiple stable kernel branches. Patched commits include 00307934, 0fef48f4, 157de9e4, 24307866, 4d29a6dc, a1500b98, d19d7345, and d974e177. Debian users should apply updates from the corresponding LTS advisories.

Workarounds

  • Build the kernel without CONFIG_UBSAN_ARRAY_BOUNDS=y to suppress the panic, accepting the trade-off of losing this runtime safety check
  • Restrict deployment of unpatched kernels to non-Samsung SoC hardware where the affected code path is not exercised
  • Use distribution-provided kernels that have backported the fix rather than rolling custom builds on Samsung Exynos or gs101 devices
bash
# Verify running kernel and check for the patched commit in changelog
uname -r
zcat /proc/config.gz | grep -E 'UBSAN_ARRAY_BOUNDS|SAMSUNG_CLK'
dmesg | grep -iE 'ubsan|samsung_clk_init'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne