CVE-2025-38224

EPSS 0.03%
Veröffentlicht 04.07.2025 13:37:39
Zuletzt bearbeitet 08.07.2025 16:18:53
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
Teams Watchlist Login
Unerledigt Login

In the Linux kernel, the following vulnerability has been resolved:

can: kvaser_pciefd: refine error prone echo_skb_max handling logic

echo_skb_max should define the supported upper limit of echo_skb[]
allocated inside the netdevice's priv. The corresponding size value
provided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT
which is 17.

But later echo_skb_max is rounded up to the nearest power of two (for the
max case, that would be 32) and the tx/ack indices calculated further
during tx/rx may exceed the upper array boundary. Kasan reported this for
the ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit
function has actually caught the same thing earlier.

 BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528
 Read of size 8 at addr ffff888105e4f078 by task swapper/4/0

 CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary)
 Call Trace:
  <IRQ>
 dump_stack_lvl lib/dump_stack.c:122
 print_report mm/kasan/report.c:521
 kasan_report mm/kasan/report.c:634
 kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528
 kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605
 kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656
 kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684
 kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733
 __handle_irq_event_percpu kernel/irq/handle.c:158
 handle_irq_event kernel/irq/handle.c:210
 handle_edge_irq kernel/irq/chip.c:833
 __common_interrupt arch/x86/kernel/irq.c:296
 common_interrupt arch/x86/kernel/irq.c:286
  </IRQ>

Tx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq
numbers' generation that's not the case - we're free to calculate them as
would be more convenient, not taking tx max count into account. The only
downside is that the size of echo_skb[] should correspond to the max seq
number (not tx max count), so in some situations a bit more memory would
be consumed than could be.

Thus make the size of the underlying echo_skb[] sufficient for the rounded
max tx value.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < d8a054b6e6824a8b52c3977ebd38c9583a63efac

Version 352fbde14177d608a54120b6ff559ce5b3cf6238

Status affected

Version < a6550c9aa11e2f57f9cdaa6249cdd44d446be874

Version 8256e0ca601051933e9395746817f3801fa9a6bf

Status affected

Version < 54ec8b08216f3be2cc98b33633d3c8ea79749895

Version 8256e0ca601051933e9395746817f3801fa9a6bf

Status affected

Version f14512f3ee09cda986191c8dd7f54972afa2c763

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.15

Status affected

Version < 6.15

Version 0

Status unaffected

Version <= 6.12.*

Version 6.12.35

Status unaffected

Version <= 6.15.*

Version 6.15.4

Status unaffected

Version <= *

Version 6.16

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.052

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

https://git.kernel.org/stable/c/d8a054b6e6824a8b52c3977ebd38c9583a63efac

https://git.kernel.org/stable/c/a6550c9aa11e2f57f9cdaa6249cdd44d446be874

https://git.kernel.org/stable/c/54ec8b08216f3be2cc98b33633d3c8ea79749895

https://nvd.nist.gov/vuln/detail/CVE-2025-38224

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-38224

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-38224

EUVD