[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025072812-CVE-2025-38474-0663@gregkh>
Date: Mon, 28 Jul 2025 13:22:17 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38474: usb: net: sierra: check for no status endpoint
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
usb: net: sierra: check for no status endpoint
The driver checks for having three endpoints and
having bulk in and out endpoints, but not that
the third endpoint is interrupt input.
Rectify the omission.
The Linux kernel CVE team has assigned CVE-2025-38474 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.1.147 with commit 5849980faea1c792d1d5e54fdbf1e69ac0a9bfb9
Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.6.100 with commit 5dd6a441748dad2f02e27b256984ca0b2d4546b6
Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.12.40 with commit 65c666aff44eb7f9079c55331abd9687fb77ba2d
Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.15.8 with commit bfe8ef373986e8f185d3d6613eb1801a8749837a
Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.16 with commit 4c4ca3c46167518f8534ed70f6e3b4bf86c4d158
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-38474
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/usb/sierra_net.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/5849980faea1c792d1d5e54fdbf1e69ac0a9bfb9
https://git.kernel.org/stable/c/5dd6a441748dad2f02e27b256984ca0b2d4546b6
https://git.kernel.org/stable/c/65c666aff44eb7f9079c55331abd9687fb77ba2d
https://git.kernel.org/stable/c/bfe8ef373986e8f185d3d6613eb1801a8749837a
https://git.kernel.org/stable/c/4c4ca3c46167518f8534ed70f6e3b4bf86c4d158
Powered by blists - more mailing lists