CVE-2025-21704: Fixes buffer size check in the USB CDC-ACM driver
In the Linux kernel, the following vulnerability has been resolved:
usb: cdc-acm: Check control transfer buffer size before access
If the first fragment is shorter than struct usbcdcnotification, we can't calculate an expectedsize. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expectedsize decreases between fragments, causing expectedsize - acm->nbindex to wrap.
This issue has been present since the beginning of git history; however, it only leads to memory corruption since commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications").
A mitigating factor is that acmctrlirq() can only execute after userspace has opened /dev/ttyACM; but if ModemManager is running, ModemManager will do that automatically depending on the USB device's vendor/product IDs and its other interfaces.
Affected Software
Remediation
Event History
Peer vulnerabilities
Found alongside the following vulnerabilities.
Frequently Asked Questions
What is the severity of CVE-2025-21704?
CVE-2025-21704 has a severity rating that requires attention due to potential vulnerabilities in control transfer buffer handling.
How do I fix CVE-2025-21704?
To fix CVE-2025-21704, upgrade to the latest version of the Linux kernel that addresses this specific vulnerability.
Which versions of the Linux kernel are affected by CVE-2025-21704?
CVE-2025-21704 affects versions of the Linux kernel starting from ea2583529cd1 and earlier.
What impact does CVE-2025-21704 have on systems?
CVE-2025-21704 may lead to erratic behavior or security risks in systems reliant on the affected USB communication protocols.
Is a patch available for CVE-2025-21704?
Yes, a patch for CVE-2025-21704 is included in the updates for the Linux kernel released after the vulnerability was identified.