CVE-2025-39757Out-of-bounds Read in Linux

CWE-125Out-of-bounds ReadCWE-20Improper Input Validation30 documents8 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 96.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedSep 11
Latest updateMar 25

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages3 packages

NVDlinux/linux_kernel4.195.4.297+8
Debianlinux/linux_kernel< 5.10.244-1+3
CVEListV5linux/linux11785ef53228d23ec386f5fe4a34601536f0c891799c06ad4c9c790c265e8b6b94947213f1fb389c+9

Also affects: Debian Linux 11.0

Patches

Patch: git.kernel.orgPatch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

3
GHSA
GHSA-jrpg-g4vf-p4hw: In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment de2025-09-11
OSV
CVE-2025-39757: In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment desc2025-09-11
CVEList
ALSA: usb-audio: Validate UAC3 cluster segment descriptors2025-09-11

📋Vendor Advisories

26
Ubuntu
Linux kernel (Azure) vulnerabilities2026-03-25
Ubuntu
Linux kernel (Azure) vulnerabilities2026-03-04
Ubuntu
Linux kernel (Azure FIPS) vulnerabilities2026-03-04
Ubuntu
Linux kernel (Xilinx) vulnerabilities2026-02-24
Ubuntu
Linux kernel (IBM) vulnerabilities2026-02-24
CVE-2025-39757 — Out-of-bounds Read in Linux | cvebase