CVE-2025-39757
BaseFortify
Publication date: 2025-09-11
Last updated on: 2025-11-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 5.10.244 |
| linux | linux_kernel | 6.1.153 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Linux kernel's ALSA usb-audio driver, specifically in the handling of UAC3 (USB Audio Class 3) cluster segment descriptors. The issue is that these descriptors were not properly validated to ensure their sizes matched the declared lengths and fit within allocated buffer sizes. This lack of validation could allow malicious firmware to cause unexpected out-of-bounds (OOB) memory accesses.
How can this vulnerability impact me? :
The vulnerability can lead to unexpected out-of-bounds memory accesses caused by malicious firmware exploiting the improper validation of UAC3 cluster segment descriptors. This could potentially result in system instability, crashes, or allow an attacker to execute arbitrary code or cause denial of service on affected systems.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for validating UAC3 cluster segment descriptors in the ALSA usb-audio driver. This ensures that the sizes of UAC3 class segment descriptors are properly verified to prevent out-of-bounds accesses caused by malicious firmware.