CVE-2025-38680
Description
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
The buffer length check before calling uvc_parse_format() only ensured that the buffer has at least 3 bytes (buflen > 2), buf the function accesses buffer[3], requiring at least 4 bytes.
This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
Fix it by checking that the buffer has at least 4 bytes in uvc_parse_format().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A 1-byte out-of-bounds read in the Linux kernel's UVC video driver (uvc_parse_format) can occur when parsing a malformed USB video descriptor with exactly 3 bytes.
Vulnerability
Description
The vulnerability resides in the Linux kernel's UVC (USB Video Class) driver. The function uvc_parse_format() accesses buffer[3] during parsing, but the preceding length check only ensures buflen > 2. Consequently, if a USB video descriptor provides exactly 3 bytes, the driver performs a one-byte out-of-bounds read [1]. This flaw was introduced because the buffer length validation was insufficient for the function's requirements.
Exploitation
Conditions
Exploitation requires a malicious USB video device that supplies a malformed descriptor with a length of exactly 3 bytes. An attacker would need physical access to the system or the ability to emulate a USB device. No authentication is required beyond the USB connection itself. The out-of-bounds read occurs during the parsing of the format descriptor, which is triggered when the device is enumerated.
Impact
An out-of-bounds read can lead to the disclosure of sensitive kernel memory or cause a system crash (denial of service). The CVSS v3 score of 7.1 (High) reflects the potential for significant confidentiality and availability impacts. The Siemens advisory [1] lists this CVE among many affecting the SIMATIC CN 4100 product line.
Mitigation
The fix adds a check for buflen >= 4 in uvc_parse_format(), ensuring the buffer is large enough before accessing index 3. Patches have been applied to the stable kernel trees [2][3][4]. Users should update to the latest kernel version. For affected Siemens products, upgrading to SIMATIC CN 4100 V5.0 remediates the issue [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: stable/c/9ad554217c9b945031c73df4e8176a475e2dea57
- Linux/Linuxv5Range: 2.6.26
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- git.kernel.org/stable/c/1e269581b3aa5962fdc52757ab40da286168c087nvdPatch
- git.kernel.org/stable/c/424980d33b3f816485513e538610168b03fab9f1nvdPatch
- git.kernel.org/stable/c/6d4a7c0b296162354b6fc759a1475b9d57ddfaa6nvdPatch
- git.kernel.org/stable/c/782b6a718651eda3478b1824b37a8b3185d2740cnvdPatch
- git.kernel.org/stable/c/8343f3fe0b755925f83d60b05e92bf4396879758nvdPatch
- git.kernel.org/stable/c/9ad554217c9b945031c73df4e8176a475e2dea57nvdPatch
- git.kernel.org/stable/c/a97e062e4ff3dab84a2f1eb811e9eddc6699e2a9nvdPatch
- git.kernel.org/stable/c/cac702a439050df65272c49184aef7975fe3eff2nvdPatch
- git.kernel.org/stable/c/ffdd82182953df643aa63d999b6f1653d0c93778nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlnvdThird Party Advisory
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories