CVE-2025-21704

22.02.2025, 10:15

In the Linux kernel, the following vulnerability has been resolved:

usb: cdc-acm: Check control transfer buffer size before access

If the first fragment is shorter than struct usb_cdc_notification, we can't
calculate an expected_size. Log an error and discard the notification
instead of reading lengths from memory outside the received data, which can
lead to memory corruption when the expected_size decreases between
fragments, causing `expected_size - acm->nb_index` to wrap.

This issue has been present since the beginning of git history; however,
it only leads to memory corruption since commit ea2583529cd1
("cdc-acm: reassemble fragmented notifications").

A mitigating factor is that acm_ctrl_irq() can only execute after userspace
has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will
do that automatically depending on the USB device's vendor/product IDs and
its other interfaces.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Linux	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Vendor	Product	Version
linux	linux_kernel	2.6.13 ≤ 𝑥 < 5.4.291
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.235
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.179
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.129
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.79
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.16
linux	linux_kernel	6.13 ≤ 𝑥 < 6.13.4
linux	linux_kernel	2.6.12
linux	linux_kernel	2.6.12:rc2
linux	linux_kernel	2.6.12:rc3
linux	linux_kernel	2.6.12:rc4
linux	linux_kernel	2.6.12:rc5
linux	linux_kernel	6.14:rc1
linux	linux_kernel	6.14:rc2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	vulnerable
bullseye (security)	5.10.244-1 fixed
bookworm	6.1.148-1 fixed
bookworm (security)	6.1.158-1 fixed
trixie	6.12.57-1 fixed
trixie (security)	6.12.48-1 fixed
forky	6.17.9-1 fixed
sid	6.17.10-1 fixed