| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025070934-CVE-2025-38249-a6a3@gregkh> Date: Wed, 9 Jul 2025 12:42:41 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38249: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than expected length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for uac3_cluster_header_descriptor. The Linux kernel CVE team has assigned CVE-2025-38249 to this issue. Affected and fixed versions =========================== Issue introduced in 4.17 with commit 9a2fe9b801f585baccf8352d82839dcd54b300cf and fixed in 6.1.143 with commit 6eb211788e1370af52a245d4d7da35c374c7b401 Issue introduced in 4.17 with commit 9a2fe9b801f585baccf8352d82839dcd54b300cf and fixed in 6.6.96 with commit 74fcb3852a2f579151ce80b9ed96cd916ba0d5d8 Issue introduced in 4.17 with commit 9a2fe9b801f585baccf8352d82839dcd54b300cf and fixed in 6.12.36 with commit 0ee87c2814deb5e42921281116ac3abcb326880b Issue introduced in 4.17 with commit 9a2fe9b801f585baccf8352d82839dcd54b300cf and fixed in 6.15.5 with commit 11e740dc1a2c8590eb7074b5c4ab921bb6224c36 Issue introduced in 4.17 with commit 9a2fe9b801f585baccf8352d82839dcd54b300cf and fixed in 6.16-rc4 with commit fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38249 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: sound/usb/stream.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/6eb211788e1370af52a245d4d7da35c374c7b401 https://git.kernel.org/stable/c/74fcb3852a2f579151ce80b9ed96cd916ba0d5d8 https://git.kernel.org/stable/c/0ee87c2814deb5e42921281116ac3abcb326880b https://git.kernel.org/stable/c/11e740dc1a2c8590eb7074b5c4ab921bb6224c36 https://git.kernel.org/stable/c/fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a
Powered by blists - more mailing lists