| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025103016-CVE-2025-40095-fde5@gregkh> Date: Thu, 30 Oct 2025 10:48:22 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40095: usb: gadget: f_rndis: Refactor bind path to use __free() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. The Linux kernel CVE team has assigned CVE-2025-40095 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.27 with commit 45fe3b8e5342cd1ce307099459c74011d8e01986 and fixed in 6.1.158 with commit ef81226bb1f8b6e761cd0b53d2696e9c1bc955d1 Issue introduced in 2.6.27 with commit 45fe3b8e5342cd1ce307099459c74011d8e01986 and fixed in 6.6.114 with commit 5f65c8ad8c7292ed7e3716343fcd590a51818cc3 Issue introduced in 2.6.27 with commit 45fe3b8e5342cd1ce307099459c74011d8e01986 and fixed in 6.12.55 with commit 380353c3a92be7d928e6f973bd065c5b79755ac3 Issue introduced in 2.6.27 with commit 45fe3b8e5342cd1ce307099459c74011d8e01986 and fixed in 6.17.5 with commit a8366263b7e5b663d7fb489d3a9ba1e2600049a6 Issue introduced in 2.6.27 with commit 45fe3b8e5342cd1ce307099459c74011d8e01986 and fixed in 6.18-rc1 with commit 08228941436047bdcd35a612c1aec0912a29d8cd Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40095 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/usb/gadget/function/f_rndis.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/ef81226bb1f8b6e761cd0b53d2696e9c1bc955d1 https://git.kernel.org/stable/c/5f65c8ad8c7292ed7e3716343fcd590a51818cc3 https://git.kernel.org/stable/c/380353c3a92be7d928e6f973bd065c5b79755ac3 https://git.kernel.org/stable/c/a8366263b7e5b663d7fb489d3a9ba1e2600049a6 https://git.kernel.org/stable/c/08228941436047bdcd35a612c1aec0912a29d8cd
Powered by blists - more mailing lists