A recently discovered vulnerability in the Linux kernel, identified as CVE-2025-21704, has been resolved. This vulnerability affects the USB Communication Device Class - Abstract Control Model (CDC-ACM) subsystem and can lead to memory corruption under certain conditions.
Details and Code Snippet
The vulnerability is tied to the way the USB CDC-ACM subsystem checks the control transfer buffer size before accessing it. Incorrect handling of this buffer size can cause memory corruption in certain cases.
The affected code snippet is shown below
void acm_ctrl_irq(struct urb *urb)
{
...
if (hdr->bNotificationType == USB_CDC_NOTIFY_NETWORK_CONNECTION) {
u16 expected_size = le16_to_cpu(hdr->wValue);
...
}
...
}
If the first fragment of the control transfer is shorter than the struct usb_cdc_notification, it is not possible to calculate the expected_size correctly. The error handling in this case is insufficient and leads to lengths being read from memory locations outside the received data. This can result in memory corruption when the expected_size decreases between fragments, causing expected_size - acm->nb_index to wrap.
The issue has been present since the beginning of the git history; however, it only leads to memory corruption since commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications").
The mitigating factor here is that acm_ctrl_irq() can only execute after userspace has opened /dev/ttyACM*. If ModemManager is running, it will automatically open the device based on the USB device's vendor/product IDs and its other interfaces.
Exploit Details
A successful exploitation of this vulnerability could allow an attacker with physical access to craft malicious USB devices, which, when connected to a vulnerable Linux system, may lead to memory corruption. This could, in turn, result in a Denial of Service (DoS) or potentially even the execution of arbitrary code.
References and Patch
The issue has been resolved with a patch that has been published in the Linux kernel source code repository. The patch adds an error handling mechanism to discard the notification if the first fragment is shorter than the struct usb_cdc_notification, avoiding the potential memory corruption issue.
For further information regarding this vulnerability, please refer to the original disclosure and the Common Vulnerabilities and Exposures (CVE) database.
Recommendations and Conclusion
To protect your Linux systems from potential exploitation of this vulnerability, it is recommended to apply the patch and regularly update your kernel. In addition, exercise caution when connecting unknown USB devices to your systems.
While the patch and mitigating factors limit the impact of CVE-2025-21704, it serves as a reminder of the importance of continually monitoring and addressing vulnerabilities to maintain a secure and reliable computing environment.
Timeline
Published on: 02/22/2025 10:15:11 UTC
Last modified on: 03/25/2025 13:15:40 UTC