{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "c366be720235301fdadf67e6f1ea6ff32669c074"
            },
            {
              "fixed": "c91382328fc89f73144d5582f2d8f1dd3e41c8f7"
            },
            {
              "fixed": "06418cb5a1a542a003fdb4ad8e76ea542d57cfba"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39928.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: rtl9300: ensure data length is within supported range\n\nAdd an explicit check for the xfer length to 'rtl9300_i2c_config_xfer'\nto ensure the data length isn't within the supported range. In\nparticular a data length of 0 is not supported by the hardware and\ncauses unintended or destructive behaviour.\n\nThis limitation becomes obvious when looking at the register\ndocumentation [1]. 4 bits are reserved for DATA_WIDTH and the value\nof these 4 bits is used as N + 1, allowing a data length range of\n1 \u003c= len \u003c= 16.\n\nAffected by this is the SMBus Quick Operation which works with a data\nlength of 0. Passing 0 as the length causes an underflow of the value\ndue to:\n\n(len - 1) \u0026 0xf\n\nand effectively specifying a transfer length of 16 via the registers.\nThis causes a 16-byte write operation instead of a Quick Write. For\nexample, on SFP modules without write-protected EEPROM this soft-bricks\nthem by overwriting some initial bytes.\n\nFor completeness, also add a quirk for the zero length.\n\n[1] https://svanheule.net/realtek/longan/register/i2c_mst1_ctrl2",
  "id": "CVE-2025-39928",
  "modified": "2026-04-01T23:08:00.156769610Z",
  "published": "2025-10-01T08:07:15.530Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/06418cb5a1a542a003fdb4ad8e76ea542d57cfba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c91382328fc89f73144d5582f2d8f1dd3e41c8f7"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39928.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39928"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "i2c: rtl9300: ensure data length is within supported range"
}