Memory Corruption Vulnerability in Linux Kernel CDC-ACM Driver
CVE-2025-21704

Currently unrated

Key Information:

Vendor

Linux
Status
Linux
Vendor
CVE Published:
22 February 2025

What is CVE-2025-21704?

CVE-2025-21704 is a memory corruption vulnerability within the Linux kernel's CDC-ACM driver, which is responsible for communication with USB modems and other devices that use the Communication Device Class Abstract Control Model (CDC-ACM) protocol. This vulnerability can significantly undermine the security and stability of systems running the Linux kernel, creating opportunities for attackers to exploit the memory handling of the driver. If successfully exploited, it could lead to system crashes or allow unauthorized access to sensitive data, hence negatively impacting organizational security and integrity.

Technical Details

The vulnerability arises from improper handling of control transfer buffer sizes within the CDC-ACM driver. Specifically, when the first fragment of a received control transfer is smaller than the expected structure size, the system may attempt to read memory locations outside the bounds of the received data. This miscalculation can lead to memory corruption when the expected size changes between received fragments. While this flaw has been present since the early development of Linux, it was exacerbated by a specific commit that altered how fragmented notifications are reassembled. Additionally, the condition for this exploit occurs only after a user space process has accessed the relevant device file, but automatic actions by related services like ModemManager can increase the risk of exposure.

Potential impact of CVE-2025-21704

  1. System Instability: Exploitation of this vulnerability can lead to unpredictable system behavior, including crashes or freezes, jeopardizing critical services and operations reliant on stable Linux environments.

  2. Unauthorized Memory Access: The vulnerability can enable attackers to manipulate memory access patterns, potentially allowing them to read or overwrite sensitive data, thereby compromising system confidentiality and integrity.

  3. Increased Attack Surface: Given that the flaw can be triggered automatically based on device interactions, it broadens the risk profile for devices connected to Linux-based systems, making them more susceptible to targeted attacks and further exploitation by malicious actors.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 90dd2f1b7342b9a671a5ea4160f408037b92b118

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 871619c2b78fdfe05afb4e8ba548678687beb812

References

https://git.kernel.org/stable/c/a4e1ae5c0533964170197e4fb...
https://git.kernel.org/stable/c/90dd2f1b7342b9a671a5ea416...
https://git.kernel.org/stable/c/871619c2b78fdfe05afb4e8ba...

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.