VYPR
← All advisories
Medium severity6.6NVD Advisory· Published Nov 4, 2017· Updated May 13, 2026

CVE-2017-16531

CVE-2017-16531

Description

drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A lack of size validation for USB_DT_INTERFACE_ASSOCIATION descriptors in the Linux kernel before 4.13.6 allows a local attacker to trigger an out-of-bounds read via a crafted USB device, causing a denial of service (system crash).

Vulnerability

In the Linux kernel before version 4.13.6, the drivers/usb/core/config.c file does not properly validate the size of USB_DT_INTERFACE_ASSOCIATION descriptors during USB configuration parsing [2]. The usb_parse_configuration() function only checks that the descriptor length is at least 2 bytes, whereas the find_iad() function in drivers/usb/core/message.c accesses intf_assoc->bInterfaceCount assuming a larger structure [2][3]. This lack of a complete length check allows a specially crafted USB device to cause an out-of-bounds read when the kernel processes the descriptor during device enumeration [2]. The vulnerability affects all kernels prior to the fix commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb [3].

Exploitation

An attacker needs physical access to the system or the ability to connect a malicious USB device to a USB port [1][2]. No special authentication or elevated privileges are required beyond the ability to attach a USB device. By crafting a USB descriptor that violates the expected size constraints, the attacker can trigger the out-of-bounds memory access when the kernel’s USB subsystem enumerates the device [2]. The proof-of-concept trigger was demonstrated using the syzkaller fuzzer with a dummy HCD (host controller driver) [2].

Impact

Successful exploitation leads to a kernel panic (denial of service) due to reading out-of-bounds memory [2]. The crash is a read of size 1 from an invalid address, which can cause a system hang or reboot [2]. The official description also mentions “possibly have unspecified other impact,” but the available references only confirm denial of service and do not demonstrate code execution or privilege escalation [1][2].

Mitigation

The vulnerability is fixed in Linux kernel version 4.13.6 [1][3]. The commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb adds a proper length check (bLength < USB_DT_INTERFACE_ASSOCIATION_SIZE) and skips descriptors that are too short [3]. Users should update to kernel 4.13.6 or later, or apply distribution-specific patches such as those provided in Ubuntu USN-3754-1 [1]. No workarounds are documented; the only mitigation is to apply the kernel update.

References
  1. USN-3754-1: Linux kernel vulnerabilities | Ubuntu security notices | Ubuntu
  2. usb/core: slab-out-of-bounds in usb_set_configuration
  3. USB: fix out-of-bounds in usb_set_configuration · torvalds/linux@bd7a3fe

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

60

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.