Bug 2347083 (CVE-2025-21704) - CVE-2025-21704 kernel: usb: cdc-acm: Check control transfer buffer size before access
Summary: CVE-2025-21704 kernel: usb: cdc-acm: Check control transfer buffer size befor...
Keywords:
Status: NEW
Alias: CVE-2025-21704
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-22 10:01 UTC by OSIDB Bzimport
Modified: 2025-02-26 14:10 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-22 10:01:06 UTC 
In the Linux kernel, the following vulnerability has been resolved:

usb: cdc-acm: Check control transfer buffer size before access

If the first fragment is shorter than struct usb_cdc_notification, we can't
calculate an expected_size. Log an error and discard the notification
instead of reading lengths from memory outside the received data, which can
lead to memory corruption when the expected_size decreases between
fragments, causing `expected_size - acm->nb_index` to wrap.

This issue has been present since the beginning of git history; however,
it only leads to memory corruption since commit ea2583529cd1
("cdc-acm: reassemble fragmented notifications").

A mitigating factor is that acm_ctrl_irq() can only execute after userspace
has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will
do that automatically depending on the USB device's vendor/product IDs and
its other interfaces.
Comment 1 Avinash Hanwate 2025-02-24 13:28:15 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022235-CVE-2025-21704-7d61@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.