Bug 2365028 (CVE-2025-37810) - CVE-2025-37810 kernel: usb: dwc3: gadget: check that event count does not exceed event buffer length
Summary: CVE-2025-37810 kernel: usb: dwc3: gadget: check that event count does not exc...
Keywords:
Status: NEW
Alias: CVE-2025-37810
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-08 07:02 UTC by OSIDB Bzimport
Modified: 2025-10-01 00:22 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:16354 0 None None None 2025-09-22 10:33:20 UTC
Red Hat Product Errata RHSA-2025:16398 0 None None None 2025-09-23 00:36:27 UTC
Red Hat Product Errata RHSA-2025:16669 0 None None None 2025-09-25 00:28:32 UTC
Red Hat Product Errata RHSA-2025:17122 0 None None None 2025-10-01 00:22:27 UTC
Red Hat Product Errata RHSA-2025:17123 0 None None None 2025-10-01 00:21:40 UTC

Description OSIDB Bzimport 2025-05-08 07:02:17 UTC 
In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: gadget: check that event count does not exceed event buffer length

The event count is read from register DWC3_GEVNTCOUNT.
There is a check for the count being zero, but not for exceeding the
event buffer length.
Check that event count does not exceed event buffer length,
avoiding an out-of-bounds access when memcpy'ing the event.
Crash log:
Unable to handle kernel paging request at virtual address ffffffc0129be000
pc : __memcpy+0x114/0x180
lr : dwc3_check_event_buf+0xec/0x348
x3 : 0000000000000030 x2 : 000000000000dfc4
x1 : ffffffc0129be000 x0 : ffffff87aad60080
Call trace:
__memcpy+0x114/0x180
dwc3_interrupt+0x24/0x34
Comment 1 Avinash Hanwate 2025-05-08 10:47:41 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025050816-CVE-2025-37810-57c4@gregkh/T
Comment 3 errata-xmlrpc 2025-09-22 10:33:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:16354 https://access.redhat.com/errata/RHSA-2025:16354
Comment 6 errata-xmlrpc 2025-09-23 00:36:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:16398 https://access.redhat.com/errata/RHSA-2025:16398
Comment 7 errata-xmlrpc 2025-09-25 00:28:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:16669 https://access.redhat.com/errata/RHSA-2025:16669
Comment 8 errata-xmlrpc 2025-10-01 00:21:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:17123 https://access.redhat.com/errata/RHSA-2025:17123
Comment 9 errata-xmlrpc 2025-10-01 00:22:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:17122 https://access.redhat.com/errata/RHSA-2025:17122
Note You need to log in before you can comment on or make changes to this bug.