CVE-2025-21704

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: cdc-acm: Check control transfer buffer size before access<br /> <br /> If the first fragment is shorter than struct usb_cdc_notification, we can&amp;#39;t<br /> calculate an expected_size. Log an error and discard the notification<br /> instead of reading lengths from memory outside the received data, which can<br /> lead to memory corruption when the expected_size decreases between<br /> fragments, causing `expected_size - acm-&gt;nb_index` to wrap.<br /> <br /> This issue has been present since the beginning of git history; however,<br /> it only leads to memory corruption since commit ea2583529cd1<br /> ("cdc-acm: reassemble fragmented notifications").<br /> <br /> A mitigating factor is that acm_ctrl_irq() can only execute after userspace<br /> has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will<br /> do that automatically depending on the USB device&amp;#39;s vendor/product IDs and<br /> its other interfaces.