CVE-2025-38481
published 2025-07-28CVE-2025-38481: In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved:
comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to
hold the array of `struct comedi_insn`, getting the length from the
`n_insns` member of the `struct comedi_insnlist` supplied by the user.
The allocation will fail with a WARNING and a stack dump if it is too
large.
Avoid that by failing with an `-EINVAL` error if the supplied `n_insns`
value is unreasonable.
Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set
this to the same value as `MAX_SAMPLES` (65536), which is the maximum
allowed sum of the values of the member `n` in the array of `struct
comedi_insn`, and sensible comedi instructions will have an `n` of at
least 1.
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= ed9eccbe8970f6eedc1b978c157caf1251a896d4 < 454d732dfd0aef7d7aa950c409215ca06d717e93 | 454d732dfd0aef7d7aa950c409215ca06d717e93 |
| linux | linux | >= ed9eccbe8970f6eedc1b978c157caf1251a896d4 < c68257588e87f45530235701a42496b7e9e56adb | c68257588e87f45530235701a42496b7e9e56adb |
| linux | linux | >= ed9eccbe8970f6eedc1b978c157caf1251a896d4 < 69dc06b9514522de532e997a21d035cd29b0db44 | 69dc06b9514522de532e997a21d035cd29b0db44 |
| linux | linux | >= ed9eccbe8970f6eedc1b978c157caf1251a896d4 < d4c73ce13f5b5a0fe0319f1f352ff602f0ace8e3 | d4c73ce13f5b5a0fe0319f1f352ff602f0ace8e3 |
| linux | linux | >= ed9eccbe8970f6eedc1b978c157caf1251a896d4 < c9d3d9667443caafa804cd07940aeaef8e53aa90 | c9d3d9667443caafa804cd07940aeaef8e53aa90 |
| linux | linux | >= ed9eccbe8970f6eedc1b978c157caf1251a896d4 < 992d600f284e719242a434166e86c1999649b71c | 992d600f284e719242a434166e86c1999649b71c |
| linux | linux | >= ed9eccbe8970f6eedc1b978c157caf1251a896d4 < e3b8322cc8081d142ee4c1a43e1d702bdba1ed76 | e3b8322cc8081d142ee4c1a43e1d702bdba1ed76 |
| linux | linux | >= ed9eccbe8970f6eedc1b978c157caf1251a896d4 < 08ae4b20f5e82101d77326ecab9089e110f224cc | 08ae4b20f5e82101d77326ecab9089e110f224cc |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
| linux | linux_kernel | >= 0 < 6.12.41-1 | 6.12.41-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 2.6.29 < 5.4.297 | 5.4.297 |
| linux | linux_kernel | >= 5.11 < 5.15.190 | 5.15.190 |
| linux | linux_kernel | >= 5.16 < 6.1.147 | 6.1.147 |
| linux | linux_kernel | >= 5.5 < 5.10.241 | 5.10.241 |
| linux | linux_kernel | >= 6.13 < 6.15.8 | 6.15.8 |
| linux | linux_kernel | >= 6.2 < 6.6.100 | 6.6.100 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM