ghsa-4rg2-56r3-4j7p
Vulnerability from github
Published
2025-08-19 18:31
Modified
2025-08-28 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget : fix use-after-free in composite_dev_cleanup()

  1. In func configfs_composite_bind() -> composite_os_desc_req_prepare(): if kmalloc fails, the pointer cdev->os_desc_req will be freed but not set to NULL. Then it will return a failure to the upper-level function.
  2. in func configfs_composite_bind() -> composite_dev_cleanup(): it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it will attempt to use it.This will lead to a use-after-free issue.

BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0 Read of size 8 at addr 0000004827837a00 by task init/1

CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1 kasan_report+0x188/0x1cc __asan_load8+0xb4/0xbc composite_dev_cleanup+0xf4/0x2c0 configfs_composite_bind+0x210/0x7ac udc_bind_to_driver+0xb4/0x1ec usb_gadget_probe_driver+0xec/0x21c gadget_dev_desc_UDC_store+0x264/0x27c

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38555"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-19T17:15:31Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget : fix use-after-free in composite_dev_cleanup()\n\n1. In func configfs_composite_bind() -\u003e composite_os_desc_req_prepare():\nif kmalloc fails, the pointer cdev-\u003eos_desc_req will be freed but not\nset to NULL. Then it will return a failure to the upper-level function.\n2. in func configfs_composite_bind() -\u003e composite_dev_cleanup():\nit will checks whether cdev-\u003eos_desc_req is NULL. If it is not NULL, it\nwill attempt to use it.This will lead to a use-after-free issue.\n\nBUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0\nRead of size 8 at addr 0000004827837a00 by task init/1\n\nCPU: 10 PID: 1 Comm: init Tainted: G           O      5.10.97-oh #1\n kasan_report+0x188/0x1cc\n __asan_load8+0xb4/0xbc\n composite_dev_cleanup+0xf4/0x2c0\n configfs_composite_bind+0x210/0x7ac\n udc_bind_to_driver+0xb4/0x1ec\n usb_gadget_probe_driver+0xec/0x21c\n gadget_dev_desc_UDC_store+0x264/0x27c",
  "id": "GHSA-4rg2-56r3-4j7p",
  "modified": "2025-08-28T15:30:38Z",
  "published": "2025-08-19T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38555"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/151c0aa896c47a4459e07fee7d4843f44c1bb18e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2db29235e900a084a656dea7e0939b0abb7bb897"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f06ee9f9a3665d43133f125c17e5258a13f3963"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8afb22aa063f706f3343707cdfb8cda4d021dd33"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aada327a9f8028c573636fa60c0abc80fb8135c9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd3c4ef60baf7f65c963f3e12d9d7b2b091e20ba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dba96dfa5a0f685b959dd28a52ac8dab0b805204"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e1be1f380c82a69f80c68c96a7cfe8759fb30355"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e624bf26127645a2f7821e73fdf6dc64bad07835"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.