| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025072812-CVE-2025-38474-0663@gregkh> Date: Mon, 28 Jul 2025 13:22:17 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38474: usb: net: sierra: check for no status endpoint From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no status endpoint The driver checks for having three endpoints and having bulk in and out endpoints, but not that the third endpoint is interrupt input. Rectify the omission. The Linux kernel CVE team has assigned CVE-2025-38474 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.1.147 with commit 5849980faea1c792d1d5e54fdbf1e69ac0a9bfb9 Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.6.100 with commit 5dd6a441748dad2f02e27b256984ca0b2d4546b6 Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.12.40 with commit 65c666aff44eb7f9079c55331abd9687fb77ba2d Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.15.8 with commit bfe8ef373986e8f185d3d6613eb1801a8749837a Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.16 with commit 4c4ca3c46167518f8534ed70f6e3b4bf86c4d158 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38474 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/usb/sierra_net.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/5849980faea1c792d1d5e54fdbf1e69ac0a9bfb9 https://git.kernel.org/stable/c/5dd6a441748dad2f02e27b256984ca0b2d4546b6 https://git.kernel.org/stable/c/65c666aff44eb7f9079c55331abd9687fb77ba2d https://git.kernel.org/stable/c/bfe8ef373986e8f185d3d6613eb1801a8749837a https://git.kernel.org/stable/c/4c4ca3c46167518f8534ed70f6e3b4bf86c4d158
Powered by blists - more mailing lists