CVE-2025-40004
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
20/10/2025
Last modified:
15/04/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net/9p: Fix buffer overflow in USB transport layer<br />
<br />
A buffer overflow vulnerability exists in the USB 9pfs transport layer<br />
where inconsistent size validation between packet header parsing and<br />
actual data copying allows a malicious USB host to overflow heap buffers.<br />
<br />
The issue occurs because:<br />
- usb9pfs_rx_header() validates only the declared size in packet header<br />
- usb9pfs_rx_complete() uses req->actual (actual received bytes) for<br />
memcpy<br />
<br />
This allows an attacker to craft packets with small declared size<br />
(bypassing validation) but large actual payload (triggering overflow<br />
in memcpy).<br />
<br />
Add validation in usb9pfs_rx_complete() to ensure req->actual does not<br />
exceed the buffer capacity before copying data.