{
  "affected": [
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:14",
        "name": "linux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.16.9-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "In the Linux kernel, the following vulnerability has been resolved:  crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked()  When    9770b428b1a2 (\"crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown\")  moved the error messages dumping so that they don't need to be issued by the callers, it missed the case where __sev_firmware_shutdown() calls __sev_platform_shutdown_locked() with a NULL argument which leads to a NULL ptr deref on the shutdown path, during suspend to disk:    #PF: supervisor read access in kernel mode   #PF: error_code(0x0000) - not-present page   PGD 0 P4D 0   Oops: Oops: 0000 [#1] SMP NOPTI   CPU: 0 UID: 0 PID: 983 Comm: hib.sh Not tainted 6.17.0-rc4+ #1 PREEMPT(voluntary)   Hardware name: Supermicro Super Server/H12SSL-i, BIOS 2.5 09/08/2022   RIP: 0010:__sev_platform_shutdown_locked.cold+0x0/0x21 [ccp]  That rIP is:    00000000000006fd \u003c__sev_platform_shutdown_locked.cold\u003e:    6fd:   8b 13                   mov    (%rbx),%edx    6ff:   48 8b 7d 00             mov    0x0(%rbp),%rdi    703:   89 c1                   mov    %eax,%ecx    Code: 74 05 31 ff 41 89 3f 49 8b 3e 89 ea 48 c7 c6 a0 8e 54 a0 41 bf 92 ff ff ff e8 e5 2e 09 e1 c6 05 2a d4 38 00 01 e9 26 af ff ff \u003c8b\u003e 13 48 8b 7d 00 89 c1 48 c7 c6 18 90 54 a0 89 44 24 04 e8 c1 2e   RSP: 0018:ffffc90005467d00 EFLAGS: 00010282   RAX: 00000000ffffff92 RBX: 0000000000000000 RCX: 0000000000000000   \t\t\t     ^^^^^^^^^^^^^^^^ and %rbx is nice and clean.    Call Trace:    \u003cTASK\u003e    __sev_firmware_shutdown.isra.0    sev_dev_destroy    psp_dev_destroy    sp_destroy    pci_device_shutdown    device_shutdown    kernel_power_off    hibernate.cold    state_store    kernfs_fop_write_iter    vfs_write    ksys_write    do_syscall_64    entry_SYSCALL_64_after_hwframe  Pass in a pointer to the function-local error var in the caller.  With that addressed, suspending the ccp shows the error properly at least:    ccp 0000:47:00.1: sev command 0x2 timed out, disabling PSP   ccp 0000:47:00.1: SEV: failed to SHUTDOWN error 0x0, rc -110   SEV-SNP: Leaking PFN range 0x146800-0x146a00   SEV-SNP: PFN 0x146800 unassigned, dumping non-zero entries in 2M PFN region: [0x146800 - 0x146a00]   ...   ccp 0000:47:00.1: SEV-SNP firmware shutdown failed, rc -16, error 0x0   ACPI: PM: Preparing to enter system sleep state S5   kvm: exiting hardware virtualization   reboot: Power down  Btw, this driver is crying to be cleaned up to pass in a proper I/O struct which can be used to store information between the different functions, otherwise stuff like that will happen in the future again.",
  "id": "DEBIAN-CVE-2025-39936",
  "modified": "2026-04-28T19:53:10.023949422Z",
  "published": "2025-10-04T08:15:46.460Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://security-tracker.debian.org/tracker/CVE-2025-39936"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "upstream": [
    "CVE-2025-39936"
  ]
}