{
  "affected": [
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:14",
        "name": "linux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.16.5-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "In the Linux kernel, the following vulnerability has been resolved:  PCI: Fix link speed calculation on retrain failure  When pcie_failed_link_retrain() fails to retrain, it tries to revert to the previous link speed.  However it calculates that speed from the Link Control 2 register without masking out non-speed bits first.  PCIE_LNKCTL2_TLS2SPEED() converts such incorrect values to PCI_SPEED_UNKNOWN (0xff), which in turn causes a WARN splat in pcie_set_target_speed():    pci 0000:00:01.1: [1022:14ed] type 01 class 0x060400 PCIe Root Port   pci 0000:00:01.1: broken device, retraining non-functional downstream link at 2.5GT/s   pci 0000:00:01.1: retraining failed   WARNING: CPU: 1 PID: 1 at drivers/pci/pcie/bwctrl.c:168 pcie_set_target_speed   RDX: 0000000000000001 RSI: 00000000000000ff RDI: ffff9acd82efa000   pcie_failed_link_retrain   pci_device_add   pci_scan_single_device  Mask out the non-speed bits in PCIE_LNKCTL2_TLS2SPEED() and PCIE_LNKCAP_SLS2SPEED() so they don't incorrectly return PCI_SPEED_UNKNOWN.  [bhelgaas: commit log, add details from https://lore.kernel.org/r/1c92ef6bcb314ee6977839b46b393282e4f52e74.1750684771.git.lukas@wunner.de]",
  "id": "DEBIAN-CVE-2025-39784",
  "modified": "2026-04-28T19:53:29.414996998Z",
  "published": "2025-09-11T17:15:44.493Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://security-tracker.debian.org/tracker/CVE-2025-39784"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "upstream": [
    "CVE-2025-39784"
  ]
}