GHSA-2X4W-2J26-P5HX

Vulnerability from github – Published: 2025-03-07 09:30 – Updated: 2025-11-03 21:33
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_midi: fix MIDI Streaming descriptor lengths

While the MIDI jacks are configured correctly, and the MIDIStreaming endpoint descriptors are filled with the correct information, bNumEmbMIDIJack and bLength are set incorrectly in these descriptors.

This does not matter when the numbers of in and out ports are equal, but when they differ the host will receive broken descriptors with uninitialized stack memory leaking into the descriptor for whichever value is smaller.

The precise meaning of "in" and "out" in the port counts is not clearly defined and can be confusing. But elsewhere the driver consistently uses this to match the USB meaning of IN and OUT viewed from the host, so that "in" ports send data to the host and "out" ports receive data from it.

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-21835"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-07T09:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_midi: fix MIDI Streaming descriptor lengths\n\nWhile the MIDI jacks are configured correctly, and the MIDIStreaming\nendpoint descriptors are filled with the correct information,\nbNumEmbMIDIJack and bLength are set incorrectly in these descriptors.\n\nThis does not matter when the numbers of in and out ports are equal, but\nwhen they differ the host will receive broken descriptors with\nuninitialized stack memory leaking into the descriptor for whichever\nvalue is smaller.\n\nThe precise meaning of \"in\" and \"out\" in the port counts is not clearly\ndefined and can be confusing.  But elsewhere the driver consistently\nuses this to match the USB meaning of IN and OUT viewed from the host,\nso that \"in\" ports send data to the host and \"out\" ports receive data\nfrom it.",
  "id": "GHSA-2x4w-2j26-p5hx",
  "modified": "2025-11-03T21:33:08Z",
  "published": "2025-03-07T09:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21835"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3a983390d14e8498f303fc5cb23ab7d696b815db"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6ae6dee9f005a2f3b739b85abb6f14a0935699e0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6b16761a928796e4b49e89a0b1ac284155172726"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9f36a89dcb78cb7e37f487b04a16396ac18c0636"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9f6860a9c11301b052225ca8825f8d2b1a5825bf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a2d0694e1f111379c1efdf439dadd3cfd959fe9d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d8e86700c8a8cf415e300a0921acd6a8f9b494f8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da1668997052ed1cb00322e1f3b63702615c9429"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.