{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21704", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.751Z", "datePublished": "2025-02-22T09:43:37.377Z", "dateUpdated": "2025-03-25T12:21:01.932Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-03-25T12:21:01.932Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdc-acm: Check control transfer buffer size before access\n\nIf the first fragment is shorter than struct usb_cdc_notification, we can't\ncalculate an expected_size. Log an error and discard the notification\ninstead of reading lengths from memory outside the received data, which can\nlead to memory corruption when the expected_size decreases between\nfragments, causing `expected_size - acm->nb_index` to wrap.\n\nThis issue has been present since the beginning of git history; however,\nit only leads to memory corruption since commit ea2583529cd1\n(\"cdc-acm: reassemble fragmented notifications\").\n\nA mitigating factor is that acm_ctrl_irq() can only execute after userspace\nhas opened /dev/ttyACM*; but if ModemManager is running, ModemManager will\ndo that automatically depending on the USB device's vendor/product IDs and\nits other interfaces."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/class/cdc-acm.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "90dd2f1b7342b9a671a5ea4160f408037b92b118", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "871619c2b78fdfe05afb4e8ba548678687beb812", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "7828e9363ac4d23b02419bf2a45b9f1d9fb35646", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6abb510251e75f875797d8983a830e6731fa281c", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "f64079bef6a8a7823358c3f352ea29a617844636", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "383d516a0ebc8641372b521c8cb717f0f1834831", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "e563b01208f4d1f609bcab13333b6c0e24ce6a01", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/class/cdc-acm.c"], "versions": [{"version": "2.6.12", "status": "affected"}, {"version": "0", "lessThan": "2.6.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.291", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.235", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.179", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.129", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.79", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.16", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.4", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2"}, {"url": "https://git.kernel.org/stable/c/90dd2f1b7342b9a671a5ea4160f408037b92b118"}, {"url": "https://git.kernel.org/stable/c/871619c2b78fdfe05afb4e8ba548678687beb812"}, {"url": "https://git.kernel.org/stable/c/7828e9363ac4d23b02419bf2a45b9f1d9fb35646"}, {"url": "https://git.kernel.org/stable/c/6abb510251e75f875797d8983a830e6731fa281c"}, {"url": "https://git.kernel.org/stable/c/f64079bef6a8a7823358c3f352ea29a617844636"}, {"url": "https://git.kernel.org/stable/c/383d516a0ebc8641372b521c8cb717f0f1834831"}, {"url": "https://git.kernel.org/stable/c/e563b01208f4d1f609bcab13333b6c0e24ce6a01"}, {"url": "https://project-zero.issues.chromium.org/issues/395107243"}], "title": "usb: cdc-acm: Check control transfer buffer size before access", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdc-acm: Check control transfer buffer size before access\n\nIf the first fragment is shorter than struct usb_cdc_notification, we can't\ncalculate an expected_size. Log an error and discard the notification\ninstead of reading lengths from memory outside the received data, which can\nlead to memory corruption when the expected_size decreases between\nfragments, causing `expected_size - acm->nb_index` to wrap.\n\nThis issue has been present since the beginning of git history; however,\nit only leads to memory corruption since commit ea2583529cd1\n(\"cdc-acm: reassemble fragmented notifications\").\n\nA mitigating factor is that acm_ctrl_irq() can only execute after userspace\nhas opened /dev/ttyACM*; but if ModemManager is running, ModemManager will\ndo that automatically depending on the USB device's vendor/product IDs and\nits other interfaces."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: cdc-acm: Verificar el tama\u00f1o del b\u00fafer de transferencia de control antes del acceso Si el primer fragmento es m\u00e1s corto que struct usb_cdc_notification, no podemos calcular un expected_size. Registra un error y descarta la notificaci\u00f3n en lugar de leer longitudes de la memoria fuera de los datos recibidos, lo que puede provocar una corrupci\u00f3n de la memoria cuando el expected_size disminuye entre fragmentos, lo que hace que `expected_size - acm->nb_index` se ajuste. Este problema ha estado presente desde el comienzo de la historia de git; sin embargo, solo conduce a la corrupci\u00f3n de la memoria desde el commit ea2583529cd1 (\"cdc-acm: reensamblar notificaciones fragmentadas\"). Un factor atenuante es que acm_ctrl_irq() solo se puede ejecutar despu\u00e9s de que el espacio de usuario haya abierto /dev/ttyACM*; pero si ModemManager se est\u00e1 ejecutando, ModemManager lo har\u00e1 autom\u00e1ticamente dependiendo de los ID de proveedor/producto del dispositivo USB y sus otras interfaces."}], "id": "CVE-2025-21704", "lastModified": "2025-03-25T13:15:40.507", "metrics": {}, "published": "2025-02-22T10:15:11.263", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/383d516a0ebc8641372b521c8cb717f0f1834831"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6abb510251e75f875797d8983a830e6731fa281c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7828e9363ac4d23b02419bf2a45b9f1d9fb35646"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/871619c2b78fdfe05afb4e8ba548678687beb812"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/90dd2f1b7342b9a671a5ea4160f408037b92b118"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e563b01208f4d1f609bcab13333b6c0e24ce6a01"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f64079bef6a8a7823358c3f352ea29a617844636"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://project-zero.issues.chromium.org/issues/395107243"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: usb: cdc-acm: Check control transfer buffer size before access", "id": "2347083", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347083"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-130", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nusb: cdc-acm: Check control transfer buffer size before access\nIf the first fragment is shorter than struct usb_cdc_notification, we can't\ncalculate an expected_size. Log an error and discard the notification\ninstead of reading lengths from memory outside the received data, which can\nlead to memory corruption when the expected_size decreases between\nfragments, causing `expected_size - acm->nb_index` to wrap.\nThis issue has been present since the beginning of git history; however,\nit only leads to memory corruption since commit ea2583529cd1\n(\"cdc-acm: reassemble fragmented notifications\").\nA mitigating factor is that acm_ctrl_irq() can only execute after userspace\nhas opened /dev/ttyACM*; but if ModemManager is running, ModemManager will\ndo that automatically depending on the USB device's vendor/product IDs and\nits other interfaces."], "name": "CVE-2025-21704", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21704\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21704\nhttps://lore.kernel.org/linux-cve-announce/2025022235-CVE-2025-21704-7d61@gregkh/T"], "threat_severity": "Moderate"}