High severity7.8NVD Advisory· Published Feb 22, 2025· Updated May 12, 2026

CVE-2025-21704

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: cdc-acm: Check control transfer buffer size before access

If the first fragment is shorter than struct usb_cdc_notification, we can't calculate an expected_size. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expected_size decreases between fragments, causing expected_size - acm->nb_index to wrap.

This issue has been present since the beginning of git history; however, it only leads to memory corruption since commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications").

A mitigating factor is that acm_ctrl_irq() can only execute after userspace has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will do that automatically depending on the USB device's vendor/product IDs and its other interfaces.

Affected products

Linux/Linuxv5
Range: 2.6.12

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

project-zero.issues.chromium.org/issues/395107243nvdExploitIssue TrackingThird Party Advisory
cert-portal.siemens.com/productcert/html/ssa-265688.htmlnvd
lists.debian.org/debian-lts-announce/2025/03/msg00028.htmlnvd
lists.debian.org/debian-lts-announce/2025/05/msg00030.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000