CVE-2025-40004
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
20/10/2025
Última modificación:
21/10/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net/9p: Fix buffer overflow in USB transport layer<br />
<br />
A buffer overflow vulnerability exists in the USB 9pfs transport layer<br />
where inconsistent size validation between packet header parsing and<br />
actual data copying allows a malicious USB host to overflow heap buffers.<br />
<br />
The issue occurs because:<br />
- usb9pfs_rx_header() validates only the declared size in packet header<br />
- usb9pfs_rx_complete() uses req->actual (actual received bytes) for<br />
memcpy<br />
<br />
This allows an attacker to craft packets with small declared size<br />
(bypassing validation) but large actual payload (triggering overflow<br />
in memcpy).<br />
<br />
Add validation in usb9pfs_rx_complete() to ensure req->actual does not<br />
exceed the buffer capacity before copying data.