CVE-2025-38729

Опубликовано: 04 сент. 2025

Источник: redhat

CVSS3: 7.1

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too.

Отчет

A malicious or malformed USB Audio Class 3.0 device could provide a power-domain descriptor with an invalid bLength, leading the usb-audio parser to read past the end of the buffer. The fix adds explicit length checks for UAC3 power domain descriptors to prevent OOB access.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 10	kernel	Affected
Red Hat Enterprise Linux 6	kernel	Not affected
Red Hat Enterprise Linux 7	kernel	Affected
Red Hat Enterprise Linux 7	kernel-rt	Affected
Red Hat Enterprise Linux 8	kernel	Affected
Red Hat Enterprise Linux 8	kernel-rt	Affected
Red Hat Enterprise Linux 9	kernel	Affected
Red Hat Enterprise Linux 9	kernel-rt	Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-125

https://bugzilla.redhat.com/show_bug.cgi?id=2393164kernel: ALSA: usb-audio: Validate UAC3 power domain descriptors, too

7.1 High

CVSS3

Связанные уязвимости

CVE-2025-38729

ubuntu

2 месяца назад

CVE-2025-38729

nvd

2 месяца назад

CVE-2025-38729

CVSS3: 7

msrc

2 месяца назад

ALSA: usb-audio: Validate UAC3 power domain descriptors, too

CVE-2025-38729

debian

2 месяца назад

In the Linux kernel, the following vulnerability has been resolved: A ...

GHSA-hh9x-rr36-2f2w

github

2 месяца назад

7.1 High

CVSS3