CVE-2025-38224 (GCVE-0-2025-38224)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-23 15:59
VLAI
Title
can: kvaser_pciefd: refine error prone echo_skb_max handling logic
Summary
In the Linux kernel, the following vulnerability has been resolved: can: kvaser_pciefd: refine error prone echo_skb_max handling logic echo_skb_max should define the supported upper limit of echo_skb[] allocated inside the netdevice's priv. The corresponding size value provided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT which is 17. But later echo_skb_max is rounded up to the nearest power of two (for the max case, that would be 32) and the tx/ack indices calculated further during tx/rx may exceed the upper array boundary. Kasan reported this for the ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit function has actually caught the same thing earlier. BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528 Read of size 8 at addr ffff888105e4f078 by task swapper/4/0 CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary) Call Trace: <IRQ> dump_stack_lvl lib/dump_stack.c:122 print_report mm/kasan/report.c:521 kasan_report mm/kasan/report.c:634 kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528 kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605 kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656 kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684 kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733 __handle_irq_event_percpu kernel/irq/handle.c:158 handle_irq_event kernel/irq/handle.c:210 handle_edge_irq kernel/irq/chip.c:833 __common_interrupt arch/x86/kernel/irq.c:296 common_interrupt arch/x86/kernel/irq.c:286 </IRQ> Tx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq numbers' generation that's not the case - we're free to calculate them as would be more convenient, not taking tx max count into account. The only downside is that the size of echo_skb[] should correspond to the max seq number (not tx max count), so in some situations a bit more memory would be consumed than could be. Thus make the size of the underlying echo_skb[] sufficient for the rounded max tx value. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity
7.1 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 352fbde14177d608a54120b6ff559ce5b3cf6238 , < d8a054b6e6824a8b52c3977ebd38c9583a63efac (git)
Affected: 8256e0ca601051933e9395746817f3801fa9a6bf , < a6550c9aa11e2f57f9cdaa6249cdd44d446be874 (git)
Affected: 8256e0ca601051933e9395746817f3801fa9a6bf , < 54ec8b08216f3be2cc98b33633d3c8ea79749895 (git)
Affected: f14512f3ee09cda986191c8dd7f54972afa2c763 (git)
Affected: 6.12.31 , < 6.12.35 (semver)
Affected: 6.14.9 , < 6.15 (semver)
Create a notification for this product.
Linux Linux Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 6.12.35 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/kvaser_pciefd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d8a054b6e6824a8b52c3977ebd38c9583a63efac",
              "status": "affected",
              "version": "352fbde14177d608a54120b6ff559ce5b3cf6238",
              "versionType": "git"
            },
            {
              "lessThan": "a6550c9aa11e2f57f9cdaa6249cdd44d446be874",
              "status": "affected",
              "version": "8256e0ca601051933e9395746817f3801fa9a6bf",
              "versionType": "git"
            },
            {
              "lessThan": "54ec8b08216f3be2cc98b33633d3c8ea79749895",
              "status": "affected",
              "version": "8256e0ca601051933e9395746817f3801fa9a6bf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f14512f3ee09cda986191c8dd7f54972afa2c763",
              "versionType": "git"
            },
            {
              "lessThan": "6.12.35",
              "status": "affected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThan": "6.15",
              "status": "affected",
              "version": "6.14.9",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/kvaser_pciefd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "6.12.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.14.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_pciefd: refine error prone echo_skb_max handling logic\n\necho_skb_max should define the supported upper limit of echo_skb[]\nallocated inside the netdevice\u0027s priv. The corresponding size value\nprovided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT\nwhich is 17.\n\nBut later echo_skb_max is rounded up to the nearest power of two (for the\nmax case, that would be 32) and the tx/ack indices calculated further\nduring tx/rx may exceed the upper array boundary. Kasan reported this for\nthe ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit\nfunction has actually caught the same thing earlier.\n\n BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528\n Read of size 8 at addr ffff888105e4f078 by task swapper/4/0\n\n CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary)\n Call Trace:\n  \u003cIRQ\u003e\n dump_stack_lvl lib/dump_stack.c:122\n print_report mm/kasan/report.c:521\n kasan_report mm/kasan/report.c:634\n kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528\n kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605\n kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656\n kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684\n kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733\n __handle_irq_event_percpu kernel/irq/handle.c:158\n handle_irq_event kernel/irq/handle.c:210\n handle_edge_irq kernel/irq/chip.c:833\n __common_interrupt arch/x86/kernel/irq.c:296\n common_interrupt arch/x86/kernel/irq.c:286\n  \u003c/IRQ\u003e\n\nTx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq\nnumbers\u0027 generation that\u0027s not the case - we\u0027re free to calculate them as\nwould be more convenient, not taking tx max count into account. The only\ndownside is that the size of echo_skb[] should correspond to the max seq\nnumber (not tx max count), so in some situations a bit more memory would\nbe consumed than could be.\n\nThus make the size of the underlying echo_skb[] sufficient for the rounded\nmax tx value.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:59:13.673Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d8a054b6e6824a8b52c3977ebd38c9583a63efac"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6550c9aa11e2f57f9cdaa6249cdd44d446be874"
        },
        {
          "url": "https://git.kernel.org/stable/c/54ec8b08216f3be2cc98b33633d3c8ea79749895"
        }
      ],
      "title": "can: kvaser_pciefd: refine error prone echo_skb_max handling logic",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38224",
    "datePublished": "2025-07-04T13:37:39.305Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2026-05-23T15:59:13.673Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-38224",
      "date": "2026-06-22",
      "epss": "0.0014",
      "percentile": "0.03605"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38224\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-04T14:15:31.110\",\"lastModified\":\"2025-11-18T16:44:28.037\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncan: kvaser_pciefd: refine error prone echo_skb_max handling logic\\n\\necho_skb_max should define the supported upper limit of echo_skb[]\\nallocated inside the netdevice\u0027s priv. The corresponding size value\\nprovided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT\\nwhich is 17.\\n\\nBut later echo_skb_max is rounded up to the nearest power of two (for the\\nmax case, that would be 32) and the tx/ack indices calculated further\\nduring tx/rx may exceed the upper array boundary. Kasan reported this for\\nthe ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit\\nfunction has actually caught the same thing earlier.\\n\\n BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528\\n Read of size 8 at addr ffff888105e4f078 by task swapper/4/0\\n\\n CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary)\\n Call Trace:\\n  \u003cIRQ\u003e\\n dump_stack_lvl lib/dump_stack.c:122\\n print_report mm/kasan/report.c:521\\n kasan_report mm/kasan/report.c:634\\n kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528\\n kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605\\n kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656\\n kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684\\n kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733\\n __handle_irq_event_percpu kernel/irq/handle.c:158\\n handle_irq_event kernel/irq/handle.c:210\\n handle_edge_irq kernel/irq/chip.c:833\\n __common_interrupt arch/x86/kernel/irq.c:296\\n common_interrupt arch/x86/kernel/irq.c:286\\n  \u003c/IRQ\u003e\\n\\nTx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq\\nnumbers\u0027 generation that\u0027s not the case - we\u0027re free to calculate them as\\nwould be more convenient, not taking tx max count into account. The only\\ndownside is that the size of echo_skb[] should correspond to the max seq\\nnumber (not tx max count), so in some situations a bit more memory would\\nbe consumed than could be.\\n\\nThus make the size of the underlying echo_skb[] sufficient for the rounded\\nmax tx value.\\n\\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: can: kvaser_pciefd: refinar la l\u00f3gica de manejo de echo_skb_max, propensa a errores. echo_skb_max deber\u00eda definir el l\u00edmite superior admitido de echo_skb[] asignado dentro del priv del dispositivo de red. El valor de tama\u00f1o correspondiente proporcionado por este controlador a alloc_candev() es KVASER_PCIEFD_CAN_TX_MAX_COUNT, que es 17. Sin embargo, posteriormente, echo_skb_max se redondea a la potencia de dos m\u00e1s cercana (para el caso m\u00e1ximo, ser\u00eda 32) y los \u00edndices de transmisi\u00f3n/recepci\u00f3n calculados posteriormente durante la transmisi\u00f3n/recepci\u00f3n pueden superar el l\u00edmite superior de la matriz. Kasan inform\u00f3 esto para el caso de confirmaci\u00f3n dentro de kvaser_pciefd_handle_ack_packet(), aunque la funci\u00f3n xmit ya hab\u00eda detectado el mismo problema anteriormente. ERROR: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528 Read of size 8 at addr ffff888105e4f078 by task swapper/4/0 CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary) Call Trace:  dump_stack_lvl lib/dump_stack.c:122 print_report mm/kasan/report.c:521 kasan_report mm/kasan/report.c:634 kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528 kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605 kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656 kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684 kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733 __handle_irq_event_percpu kernel/irq/handle.c:158 handle_irq_event kernel/irq/handle.c:210 handle_edge_irq kernel/irq/chip.c:833 __common_interrupt arch/x86/kernel/irq.c:296 common_interrupt arch/x86/kernel/irq.c:286  El recuento m\u00e1ximo de transmisiones es importante para kvaser_pciefd_tx_avail(), pero no para la generaci\u00f3n de n\u00fameros de secuencia. Podemos calcularlo como nos convenga, sin tener en cuenta el recuento m\u00e1ximo de transmisiones. La \u00fanica desventaja es que el tama\u00f1o de echo_skb[] deber\u00eda corresponder al n\u00famero m\u00e1ximo de secuencia (no al recuento m\u00e1ximo de transmisiones), por lo que, en algunos casos, se consumir\u00eda m\u00e1s memoria de la que se podr\u00eda. Por lo tanto, el tama\u00f1o de echo_skb[] subyacente debe ser suficiente para el valor m\u00e1ximo de transmisi\u00f3n redondeado. Encontrado por el Centro de Verificaci\u00f3n de Linux (linuxtesting.org) con Syzkaller.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.12.31\",\"versionEndExcluding\":\"6.12.35\",\"matchCriteriaId\":\"346346E3-B8E6-4C1E-982B-B5FCDB958E51\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.14.9\",\"versionEndExcluding\":\"6.15\",\"matchCriteriaId\":\"2932EEA2-2EDB-4FE6-9BF4-C1F90FF22950\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.15.1\",\"versionEndExcluding\":\"6.15.4\",\"matchCriteriaId\":\"BC343CA8-C054-44E4-830F-78CCA31461E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"A1ECC65A-EE37-4479-8E99-4BB68A22A31F\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/54ec8b08216f3be2cc98b33633d3c8ea79749895\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a6550c9aa11e2f57f9cdaa6249cdd44d446be874\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d8a054b6e6824a8b52c3977ebd38c9583a63efac\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.