Exploitable Vulnerability in Linux Kernel's MIDI Streaming Descriptor Handling
CVE-2025-21835

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 7 March 2025

Summary

A flaw in the Linux kernel's USB MIDI Streaming endpoint descriptors can lead to the leakage of uninitialized stack memory into the descriptors when the number of 'in' and 'out' MIDI ports differs. This inconsistency may produce invalid descriptors, potentially affecting the correct operation of MIDI devices. The issue arises from misconfigured lengths in the MIDI jack descriptors (bNumEmbMIDIJack and bLength) that do not align with the protected definitions already used elsewhere in the driver, highlighting a critical oversight in descriptor management.

Affected Version(s)

Linux c8933c3f79568263c90a46f06cf80419e6c63c97 < 9f6860a9c11301b052225ca8825f8d2b1a5825bf

Linux c8933c3f79568263c90a46f06cf80419e6c63c97 < 6ae6dee9f005a2f3b739b85abb6f14a0935699e0

Linux c8933c3f79568263c90a46f06cf80419e6c63c97 < 6b16761a928796e4b49e89a0b1ac284155172726

References

https://git.kernel.org/stable/c/9f6860a9c11301b052225ca88...

https://git.kernel.org/stable/c/6ae6dee9f005a2f3b739b85ab...

https://git.kernel.org/stable/c/6b16761a928796e4b49e89a0b...

Timeline

Vulnerability published
Mar 7, 2025
Vulnerability Reserved
Dec 29, 2024