CVE-2025-37810 (GCVE-0-2025-37810)
Vulnerability from cvelistv5
Published
2025-05-08 06:26
Modified
2025-05-26 05:21
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: check that event count does not exceed event buffer length The event count is read from register DWC3_GEVNTCOUNT. There is a check for the count being zero, but not for exceeding the event buffer length. Check that event count does not exceed event buffer length, avoiding an out-of-bounds access when memcpy'ing the event. Crash log: Unable to handle kernel paging request at virtual address ffffffc0129be000 pc : __memcpy+0x114/0x180 lr : dwc3_check_event_buf+0xec/0x348 x3 : 0000000000000030 x2 : 000000000000dfc4 x1 : ffffffc0129be000 x0 : ffffff87aad60080 Call trace: __memcpy+0x114/0x180 dwc3_interrupt+0x24/0x34
References
Impacted products
Vendor Product Version
Linux Linux Version: 72246da40f3719af3bfd104a2365b32537c27d83
Version: 72246da40f3719af3bfd104a2365b32537c27d83
Version: 72246da40f3719af3bfd104a2365b32537c27d83
Version: 72246da40f3719af3bfd104a2365b32537c27d83
Version: 72246da40f3719af3bfd104a2365b32537c27d83
Version: 72246da40f3719af3bfd104a2365b32537c27d83
Version: 72246da40f3719af3bfd104a2365b32537c27d83
Version: 72246da40f3719af3bfd104a2365b32537c27d83
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/dwc3/gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "015c39f38e69a491d2abd5e98869a500a9459b3b",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "b43225948b231b3f331194010f84512bee4d9f59",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "c0079630f268843a25ed75226169cba40e0d8880",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "a44547015287a19001384fe94dbff84c92ce4ee1",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "c4d80e41cb42008dceb35e5dbf52574d93beac0d",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "52a7c9d930b95aa8b1620edaba4818040c32631f",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "99d655119b870ee60e4dbf310aa9a1ed8d9ede3d",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "63ccd26cd1f6600421795f6ca3e625076be06c9f",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/dwc3/gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.136",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.136",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: check that event count does not exceed event buffer length\n\nThe event count is read from register DWC3_GEVNTCOUNT.\nThere is a check for the count being zero, but not for exceeding the\nevent buffer length.\nCheck that event count does not exceed event buffer length,\navoiding an out-of-bounds access when memcpy\u0027ing the event.\nCrash log:\nUnable to handle kernel paging request at virtual address ffffffc0129be000\npc : __memcpy+0x114/0x180\nlr : dwc3_check_event_buf+0xec/0x348\nx3 : 0000000000000030 x2 : 000000000000dfc4\nx1 : ffffffc0129be000 x0 : ffffff87aad60080\nCall trace:\n__memcpy+0x114/0x180\ndwc3_interrupt+0x24/0x34"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:21:20.910Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/015c39f38e69a491d2abd5e98869a500a9459b3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b43225948b231b3f331194010f84512bee4d9f59"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0079630f268843a25ed75226169cba40e0d8880"
        },
        {
          "url": "https://git.kernel.org/stable/c/a44547015287a19001384fe94dbff84c92ce4ee1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4d80e41cb42008dceb35e5dbf52574d93beac0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/52a7c9d930b95aa8b1620edaba4818040c32631f"
        },
        {
          "url": "https://git.kernel.org/stable/c/99d655119b870ee60e4dbf310aa9a1ed8d9ede3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/63ccd26cd1f6600421795f6ca3e625076be06c9f"
        }
      ],
      "title": "usb: dwc3: gadget: check that event count does not exceed event buffer length",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37810",
    "datePublished": "2025-05-08T06:26:08.144Z",
    "dateReserved": "2025-04-16T04:51:23.942Z",
    "dateUpdated": "2025-05-26T05:21:20.910Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-37810\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-08T07:15:52.197\",\"lastModified\":\"2025-05-08T14:39:09.683\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: dwc3: gadget: check that event count does not exceed event buffer length\\n\\nThe event count is read from register DWC3_GEVNTCOUNT.\\nThere is a check for the count being zero, but not for exceeding the\\nevent buffer length.\\nCheck that event count does not exceed event buffer length,\\navoiding an out-of-bounds access when memcpy\u0027ing the event.\\nCrash log:\\nUnable to handle kernel paging request at virtual address ffffffc0129be000\\npc : __memcpy+0x114/0x180\\nlr : dwc3_check_event_buf+0xec/0x348\\nx3 : 0000000000000030 x2 : 000000000000dfc4\\nx1 : ffffffc0129be000 x0 : ffffff87aad60080\\nCall trace:\\n__memcpy+0x114/0x180\\ndwc3_interrupt+0x24/0x34\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: dwc3: gadget: comprobar que el recuento de eventos no supere la longitud del b\u00fafer de eventos. El recuento de eventos se lee del registro DWC3_GEVNTCOUNT. Se comprueba que el recuento sea cero, pero no que supere la longitud del b\u00fafer de eventos. Se comprueba que el recuento de eventos no supere la longitud del b\u00fafer de eventos, lo que evita un acceso fuera de los l\u00edmites al copiar el evento a memoria. Registro de fallos: No se puede gestionar la solicitud de paginaci\u00f3n del n\u00facleo en la direcci\u00f3n virtual ffffffc0129be000 pc : __memcpy+0x114/0x180 lr : dwc3_check_event_buf+0xec/0x348 x3 : 0000000000000030 x2 : 000000000000dfc4 x1 : ffffffc0129be000 x0 : ffffff87aad60080 Rastreo de llamadas: __memcpy+0x114/0x180 dwc3_interrupt+0x24/0x34\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/015c39f38e69a491d2abd5e98869a500a9459b3b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/52a7c9d930b95aa8b1620edaba4818040c32631f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/63ccd26cd1f6600421795f6ca3e625076be06c9f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/99d655119b870ee60e4dbf310aa9a1ed8d9ede3d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a44547015287a19001384fe94dbff84c92ce4ee1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b43225948b231b3f331194010f84512bee4d9f59\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c0079630f268843a25ed75226169cba40e0d8880\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c4d80e41cb42008dceb35e5dbf52574d93beac0d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.