VYPR
← All advisories
Medium severity6.8NVD Advisory· Published Nov 4, 2017· Updated May 13, 2026

CVE-2017-16534

CVE-2017-16534

Description

The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A lack of buffer length validation in the Linux kernel's CDC header parsing leads to an out-of-bounds read, causing a system crash from a malicious USB device.

Vulnerability

The cdc_parse_cdc_header function in drivers/usb/core/message.c of the Linux kernel, prior to version 4.13.6, fails to properly validate the buflen parameter before indexing into the buffer array. The only check is while (buflen > 0), which does not ensure that subsequent accesses to buffer[1], buffer[2], etc., remain within bounds. This allows a crafted USB device to trigger an out-of-bounds read. The vulnerability was discovered via kernel fuzzing with syzkaller [1] and affects all kernels before the fix [2].

Exploitation

An attacker must have physical access to the system or the ability to connect a malicious USB device. When the device is enumerated, the kernel's USB subsystem processes its descriptors, calling usbnet_generic_cdc_bind and eventually cdc_parse_cdc_header. By providing a specially crafted CDC descriptor with a length field that misrepresents the actual buffer size, the attacker causes the function to read beyond the allocated buffer. No authentication or special privileges are required beyond the ability to attach the USB device; the exploit occurs automatically during the enumeration process in the hub_event workqueue [1].

Impact

A successful out-of-bounds read triggers a Kernel Address Sanitizer (KASAN) slab-out-of-bounds error, leading to a kernel panic and system denial of service. The crash may prevent legitimate USB device enumeration and cause system instability. While the description mentions the possibility of other unspecified impact, the primary demonstrated consequence is a denial of service [1]. The attacker does not gain elevated privileges or code execution, but can reliably crash the system.

Mitigation

The vulnerability is fixed in Linux kernel version 4.13.6 and later [2]. The commit 2e1c42391ff2556387b3cb6308b24f6f65619feb adds proper length validation: it ensures that the buffer has sufficient data before each access. Users should update their kernel to 4.13.6 or apply the patch. Workarounds include not connecting untrusted USB devices or using USB device authorization controls, but the definitive solution is the kernel update. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. usb/core: slab-out-of-bounds read in cdc_parse_cdc_header
  2. USB: core: harden cdc_parse_cdc_header · torvalds/linux@2e1c423

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

59

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.