Bug 2365028 (CVE-2025-37810)

Summary: CVE-2025-37810 kernel: usb: dwc3: gadget: check that event count does not exceed event buffer length
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-05-08 07:02:17 UTC 
In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: gadget: check that event count does not exceed event buffer length

The event count is read from register DWC3_GEVNTCOUNT.
There is a check for the count being zero, but not for exceeding the
event buffer length.
Check that event count does not exceed event buffer length,
avoiding an out-of-bounds access when memcpy'ing the event.
Crash log:
Unable to handle kernel paging request at virtual address ffffffc0129be000
pc : __memcpy+0x114/0x180
lr : dwc3_check_event_buf+0xec/0x348
x3 : 0000000000000030 x2 : 000000000000dfc4
x1 : ffffffc0129be000 x0 : ffffff87aad60080
Call trace:
__memcpy+0x114/0x180
dwc3_interrupt+0x24/0x34
Comment 1 Avinash Hanwate 2025-05-08 10:47:41 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025050816-CVE-2025-37810-57c4@gregkh/T
Comment 3 errata-xmlrpc 2025-09-22 10:33:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:16354 https://access.redhat.com/errata/RHSA-2025:16354
Comment 6 errata-xmlrpc 2025-09-23 00:36:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:16398 https://access.redhat.com/errata/RHSA-2025:16398
Comment 7 errata-xmlrpc 2025-09-25 00:28:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:16669 https://access.redhat.com/errata/RHSA-2025:16669
Comment 8 errata-xmlrpc 2025-10-01 00:21:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:17123 https://access.redhat.com/errata/RHSA-2025:17123
Comment 9 errata-xmlrpc 2025-10-01 00:22:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:17122 https://access.redhat.com/errata/RHSA-2025:17122
Comment 10 errata-xmlrpc 2025-10-15 07:05:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:18054 https://access.redhat.com/errata/RHSA-2025:18054
Comment 11 errata-xmlrpc 2025-10-15 11:36:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:18098 https://access.redhat.com/errata/RHSA-2025:18098