Out-of-Bounds Read Vulnerability in Linux Kernel Affecting Audio USB Devices
CVE-2025-38249

Currently unrated

Key Information:

Vendor

Linux
Status
Linux
Vendor
CVE Published:
9 July 2025

What is CVE-2025-38249?

A vulnerability in the Linux kernel's USB audio subsystem allows an attacker to exploit an out-of-bounds read scenario. The issue arises in the function snd_usb_get_audioformat_uac3(), where length values from snd_usb_ctl_msg() are utilized without proper validation. The absence of a length check may result in a buffer being allocated that is insufficient for the expected uac3_cluster_header_descriptor. This flaw could lead to unauthorized access to memory regions, accentuating the need for timely updates and patches.

Affected Version(s)

Linux 9a2fe9b801f585baccf8352d82839dcd54b300cf < 6eb211788e1370af52a245d4d7da35c374c7b401

Linux 9a2fe9b801f585baccf8352d82839dcd54b300cf < 74fcb3852a2f579151ce80b9ed96cd916ba0d5d8

Linux 9a2fe9b801f585baccf8352d82839dcd54b300cf < 0ee87c2814deb5e42921281116ac3abcb326880b

References

https://git.kernel.org/stable/c/6eb211788e1370af52a245d4d...
https://git.kernel.org/stable/c/74fcb3852a2f579151ce80b9e...
https://git.kernel.org/stable/c/0ee87c2814deb5e4292128111...

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-38249 : Out-of-Bounds Read Vulnerability in Linux Kernel Affecting Audio USB Devices