CVE-2025-21704
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-21704
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21704.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-21704
- Downstream
- Related
- Published
- 2025-02-22T10:15:11Z
- Modified
- 2025-09-23T19:14:36Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
usb: cdc-acm: Check control transfer buffer size before access
If the first fragment is shorter than struct usbcdcnotification, we can't calculate an expectedsize. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expectedsize decreases between fragments, causing
expected_size - acm->nb_indexto wrap.This issue has been present since the beginning of git history; however, it only leads to memory corruption since commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications").
A mitigating factor is that acmctrlirq() can only execute after userspace has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will do that automatically depending on the USB device's vendor/product IDs and its other interfaces.
- References
-
- https://project-zero.issues.chromium.org/issues/395107243
- https://git.kernel.org/stable/c/383d516a0ebc8641372b521c8cb717f0f1834831
- https://git.kernel.org/stable/c/6abb510251e75f875797d8983a830e6731fa281c
- https://git.kernel.org/stable/c/7828e9363ac4d23b02419bf2a45b9f1d9fb35646
- https://git.kernel.org/stable/c/871619c2b78fdfe05afb4e8ba548678687beb812
- https://git.kernel.org/stable/c/90dd2f1b7342b9a671a5ea4160f408037b92b118
- https://git.kernel.org/stable/c/a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2
- https://git.kernel.org/stable/c/e563b01208f4d1f609bcab13333b6c0e24ce6a01
- https://git.kernel.org/stable/c/f64079bef6a8a7823358c3f352ea29a617844636