CVE-2025-38348
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-10

Last updated on: 2025-12-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Robert Morris reported: |If a malicious USB device pretends to be an Intersil p54 wifi |interface and generates an eeprom_readback message with a large |eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the |message beyond the end of priv->eeprom. | |static void p54_rx_eeprom_readback(struct p54_common *priv, | struct sk_buff *skb) |{ | struct p54_hdr *hdr = (struct p54_hdr *) skb->data; | struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data; | | if (priv->fw_var >= 0x509) { | memcpy(priv->eeprom, eeprom->v2.data, | le16_to_cpu(eeprom->v2.len)); | } else { | memcpy(priv->eeprom, eeprom->v1.data, | le16_to_cpu(eeprom->v1.len)); | } | [...] The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom(). The device is supposed to provide the same length back to the driver. But yes, it's possible (like shown in the report) to alter the value to something that causes a crash/panic due to overrun. This patch addresses the issue by adding the size to the common device context, so p54_rx_eeprom_readback no longer relies on possibly tampered values... That said, it also checks if the "firmware" altered the value and no longer copies them. The one, small saving grace is: Before the driver tries to read the eeprom, it needs to upload >a< firmware. the vendor firmware has a proprietary license and as a reason, it is not present on most distributions by default.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-10
Last Modified
2025-12-16
Generated
2026-05-27
AI Q&A
2025-07-10
EPSS Evaluated
2026-05-25
NVD
CVE-2025-38348
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.11 (inc) to 5.15.186 (inc)
debian debian_linux 11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a buffer overflow in the Linux kernel's p54 wifi driver, specifically in the function p54_rx_eeprom_readback(). A malicious USB device pretending to be an Intersil p54 wifi interface can send a crafted eeprom_readback message with an abnormally large length value. This causes the driver to copy more data than the allocated buffer size, leading to a buffer overflow. The issue arises because the driver trusts the length value provided by the device, which can be tampered with. The patch fixes this by using a size stored in the device context rather than the potentially tampered length, and by checking if the firmware altered the value before copying.


How can this vulnerability impact me? :

This vulnerability can cause a system crash or kernel panic due to the buffer overflow when a malicious USB device sends a specially crafted message. This could lead to denial of service or potentially allow an attacker to execute arbitrary code with kernel privileges if exploited further.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure your Linux kernel is updated to a version that includes the patch preventing buffer overflow in p54_rx_eeprom_readback(). Avoid connecting untrusted or potentially malicious USB devices that may impersonate an Intersil p54 wifi interface. Since the vulnerability involves a proprietary firmware not present by default on most distributions, verifying firmware integrity and applying vendor updates when available is also recommended.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart