GHSA-V7FR-3JHM-3QHW

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-01-08 15:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

comedi: Make insn_rw_emulate_bits() do insn->n samples

The insn_rw_emulate_bits() function is used as a default handler for INSN_READ instructions for subdevices that have a handler for INSN_BITS but not for INSN_READ. Similarly, it is used as a default handler for INSN_WRITE instructions for subdevices that have a handler for INSN_BITS but not for INSN_WRITE. It works by emulating the INSN_READ or INSN_WRITE instruction handling with a constructed INSN_BITS instruction. However, INSN_READ and INSN_WRITE instructions are supposed to be able read or write multiple samples, indicated by the insn->n value, but insn_rw_emulate_bits() currently only handles a single sample. For INSN_READ, the comedi core will copy insn->n samples back to user-space. (That triggered KASAN kernel-infoleak errors when insn->n was greater than 1, but that is being fixed more generally elsewhere in the comedi core.)

Make insn_rw_emulate_bits() either handle insn->n samples, or return an error, to conform to the general expectation for INSN_READ and INSN_WRITE handlers.

Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39686"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T18:15:45Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Make insn_rw_emulate_bits() do insn-\u003en samples\n\nThe `insn_rw_emulate_bits()` function is used as a default handler for\n`INSN_READ` instructions for subdevices that have a handler for\n`INSN_BITS` but not for `INSN_READ`.  Similarly, it is used as a default\nhandler for `INSN_WRITE` instructions for subdevices that have a handler\nfor `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the\n`INSN_READ` or `INSN_WRITE` instruction handling with a constructed\n`INSN_BITS` instruction.  However, `INSN_READ` and `INSN_WRITE`\ninstructions are supposed to be able read or write multiple samples,\nindicated by the `insn-\u003en` value, but `insn_rw_emulate_bits()` currently\nonly handles a single sample.  For `INSN_READ`, the comedi core will\ncopy `insn-\u003en` samples back to user-space.  (That triggered KASAN\nkernel-infoleak errors when `insn-\u003en` was greater than 1, but that is\nbeing fixed more generally elsewhere in the comedi core.)\n\nMake `insn_rw_emulate_bits()` either handle `insn-\u003en` samples, or return\nan error, to conform to the general expectation for `INSN_READ` and\n`INSN_WRITE` handlers.",
  "id": "GHSA-v7fr-3jhm-3qhw",
  "modified": "2026-01-08T15:31:25Z",
  "published": "2025-09-05T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39686"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7afba9221f70d4cbce0f417c558879cba0eb5e66"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/842f307a1d115b24f2bcb2415c4e344f11f55930"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/92352ed2f9ac422181e381c2430c2d0dfb46faa0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ab77e85bd3bc006ef40738f26f446a660813da44"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc0a2f142d655700db43de90cb6abf141b73d908"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.