VYPR
Unrated severityNVD Advisory· Published Jul 28, 2025· Updated Jan 2, 2026

usb: gadget: configfs: Fix OOB read on empty string write

CVE-2025-38497

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: configfs: Fix OOB read on empty string write

When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1] before validating that the length 'l' is greater than zero.

This patch fixes the vulnerability by adding a check at the beginning of os_desc_qw_sign_store() and webusb_landingPage_store() to handle the zero-length input case gracefully by returning immediately.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

227

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.