CVE-2025-38555
published 2025-08-19CVE-2025-38555: In the Linux kernel, the following vulnerability has been resolved: usb: gadget : fix use-after-free in composite_dev_cleanup() 1. In func…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget : fix use-after-free in composite_dev_cleanup()
1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():
if kmalloc fails, the pointer cdev->os_desc_req will be freed but not
set to NULL. Then it will return a failure to the upper-level function.
2. in func configfs_composite_bind() -> composite_dev_cleanup():
it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it
will attempt to use it.This will lead to a use-after-free issue.
BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0
Read of size 8 at addr 0000004827837a00 by task init/1
CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1
kasan_report+0x188/0x1cc
__asan_load8+0xb4/0xbc
composite_dev_cleanup+0xf4/0x2c0
configfs_composite_bind+0x210/0x7ac
udc_bind_to_driver+0xb4/0x1ec
usb_gadget_probe_driver+0xec/0x21c
gadget_dev_desc_UDC_store+0x264/0x27c
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.148-1 (bookworm) | linux 6.1.148-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.148-1 (bookworm) | linux 6.1.148-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 37a3a533429ef9b3cc9f15a656c19623f0e88df7 < dba96dfa5a0f685b959dd28a52ac8dab0b805204 | dba96dfa5a0f685b959dd28a52ac8dab0b805204 |
| linux | linux | >= 37a3a533429ef9b3cc9f15a656c19623f0e88df7 < 2db29235e900a084a656dea7e0939b0abb7bb897 | 2db29235e900a084a656dea7e0939b0abb7bb897 |
| linux | linux | >= 37a3a533429ef9b3cc9f15a656c19623f0e88df7 < 8afb22aa063f706f3343707cdfb8cda4d021dd33 | 8afb22aa063f706f3343707cdfb8cda4d021dd33 |
| linux | linux | >= 37a3a533429ef9b3cc9f15a656c19623f0e88df7 < e624bf26127645a2f7821e73fdf6dc64bad07835 | e624bf26127645a2f7821e73fdf6dc64bad07835 |
| linux | linux | >= 37a3a533429ef9b3cc9f15a656c19623f0e88df7 < aada327a9f8028c573636fa60c0abc80fb8135c9 | aada327a9f8028c573636fa60c0abc80fb8135c9 |
| linux | linux | >= 37a3a533429ef9b3cc9f15a656c19623f0e88df7 < 5f06ee9f9a3665d43133f125c17e5258a13f3963 | 5f06ee9f9a3665d43133f125c17e5258a13f3963 |
| linux | linux | >= 37a3a533429ef9b3cc9f15a656c19623f0e88df7 < bd3c4ef60baf7f65c963f3e12d9d7b2b091e20ba | bd3c4ef60baf7f65c963f3e12d9d7b2b091e20ba |
| linux | linux | >= 37a3a533429ef9b3cc9f15a656c19623f0e88df7 < e1be1f380c82a69f80c68c96a7cfe8759fb30355 | e1be1f380c82a69f80c68c96a7cfe8759fb30355 |
| linux | linux | >= 37a3a533429ef9b3cc9f15a656c19623f0e88df7 < 151c0aa896c47a4459e07fee7d4843f44c1bb18e | 151c0aa896c47a4459e07fee7d4843f44c1bb18e |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.148-1 | 6.1.148-1 |
| linux | linux_kernel | >= 0 < 6.12.43-1 | 6.12.43-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 3.16 < 5.4.297 | 5.4.297 |
| linux | linux_kernel | >= 5.11 < 5.15.190 | 5.15.190 |
| linux | linux_kernel | >= 5.16 < 6.1.148 | 6.1.148 |
| linux | linux_kernel | >= 5.5 < 5.10.241 | 5.10.241 |
| linux | linux_kernel | >= 6.13 < 6.15.10 | 6.15.10 |
| linux | linux_kernel | >= 6.16 < 6.16.1 | 6.16.1 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH