CVE-2025-39778 is a vulnerability identified in the Linux kernel, specifically within the nvmet subsystem's nvmet_ctrl_state_show() function. The issue arises due to an out-of-bounds stack read caused by improper iteration over the csts_state_names[] array. This array contains only six sparse entries, but the vulnerable code iterates seven times, leading to reading beyond the allocated stack memory. This flaw was detected through warnings generated by the Undefined Behavior Sanitizer (UBSAN) during kernel compilation, indicating a potential memory safety issue. While the vulnerability does not appear to allow direct code execution or privilege escalation, out-of-bounds reads can lead to information disclosure or cause kernel instability, potentially resulting in denial of service (DoS). The vulnerability is fixed by correcting the iteration bounds in the nvmet_ctrl_state_show() function to prevent accessing memory outside the array. The affected versions are specific Linux kernel commits identified by the hash 649fd41420a816b11b07423ebf4dbd4ac1ac2905, and the issue was publicly disclosed on April 18, 2025. There are no known exploits in the wild at this time, and no CVSS score has been assigned.

For European organizations, the impact of CVE-2025-39778 depends largely on the deployment of Linux systems utilizing the nvmet subsystem, which is related to NVMe over Fabrics target functionality. Organizations running data centers, cloud infrastructure, or storage solutions that leverage NVMe over Fabrics could be affected. The out-of-bounds read vulnerability may allow attackers with local access or certain privileges to glean sensitive kernel memory contents, potentially exposing confidential information. Additionally, exploitation could cause kernel crashes, leading to service interruptions and availability issues. While the vulnerability does not currently have known exploits, the potential for denial of service or information leakage could disrupt critical services, especially in sectors relying heavily on Linux-based storage and virtualization infrastructure, such as finance, telecommunications, and government services within Europe.

To mitigate this vulnerability, European organizations should promptly apply the official Linux kernel patches that correct the iteration logic in nvmet_ctrl_state_show(). Since the vulnerability is in the kernel, updating to the latest stable kernel version that includes this fix is essential. Organizations should audit their systems to identify those running affected kernel versions with NVMe over Fabrics enabled and prioritize patching these systems. Additionally, restricting local access to trusted users and enforcing strict privilege separation can reduce the risk of exploitation. Monitoring kernel logs for unusual behavior or crashes related to nvmet can help detect attempted exploitation. For environments where immediate patching is challenging, disabling the nvmet subsystem or the NVMe over Fabrics target functionality temporarily can serve as a workaround to prevent exposure.