ghsa-48g3-w2gf-xjrv
Vulnerability from github
Published
2025-02-22 12:30
Modified
2025-11-03 21:32
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: cdc-acm: Check control transfer buffer size before access

If the first fragment is shorter than struct usb_cdc_notification, we can't calculate an expected_size. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expected_size decreases between fragments, causing expected_size - acm->nb_index to wrap.

This issue has been present since the beginning of git history; however, it only leads to memory corruption since commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications").

A mitigating factor is that acm_ctrl_irq() can only execute after userspace has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will do that automatically depending on the USB device's vendor/product IDs and its other interfaces.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-21704"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-22T10:15:11Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdc-acm: Check control transfer buffer size before access\n\nIf the first fragment is shorter than struct usb_cdc_notification, we can\u0027t\ncalculate an expected_size. Log an error and discard the notification\ninstead of reading lengths from memory outside the received data, which can\nlead to memory corruption when the expected_size decreases between\nfragments, causing `expected_size - acm-\u003enb_index` to wrap.\n\nThis issue has been present since the beginning of git history; however,\nit only leads to memory corruption since commit ea2583529cd1\n(\"cdc-acm: reassemble fragmented notifications\").\n\nA mitigating factor is that acm_ctrl_irq() can only execute after userspace\nhas opened /dev/ttyACM*; but if ModemManager is running, ModemManager will\ndo that automatically depending on the USB device\u0027s vendor/product IDs and\nits other interfaces.",
  "id": "GHSA-48g3-w2gf-xjrv",
  "modified": "2025-11-03T21:32:52Z",
  "published": "2025-02-22T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21704"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/383d516a0ebc8641372b521c8cb717f0f1834831"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6abb510251e75f875797d8983a830e6731fa281c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7828e9363ac4d23b02419bf2a45b9f1d9fb35646"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/871619c2b78fdfe05afb4e8ba548678687beb812"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/90dd2f1b7342b9a671a5ea4160f408037b92b118"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e563b01208f4d1f609bcab13333b6c0e24ce6a01"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f64079bef6a8a7823358c3f352ea29a617844636"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://project-zero.issues.chromium.org/issues/395107243"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.