VYPR
← All advisories
High severity7.8NVD Advisory· Published Sep 5, 2025· Updated May 12, 2026

CVE-2025-39686

CVE-2025-39686

Description

In the Linux kernel, the following vulnerability has been resolved:

comedi: Make insn_rw_emulate_bits() do insn->n samples

The insn_rw_emulate_bits() function is used as a default handler for INSN_READ instructions for subdevices that have a handler for INSN_BITS but not for INSN_READ. Similarly, it is used as a default handler for INSN_WRITE instructions for subdevices that have a handler for INSN_BITS but not for INSN_WRITE. It works by emulating the INSN_READ or INSN_WRITE instruction handling with a constructed INSN_BITS instruction. However, INSN_READ and INSN_WRITE instructions are supposed to be able read or write multiple samples, indicated by the insn->n value, but insn_rw_emulate_bits() currently only handles a single sample. For INSN_READ, the comedi core will copy insn->n samples back to user-space. (That triggered KASAN kernel-infoleak errors when insn->n was greater than 1, but that is being fixed more generally elsewhere in the comedi core.)

Make insn_rw_emulate_bits() either handle insn->n samples, or return an error, to conform to the general expectation for INSN_READ and INSN_WRITE handlers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's comedi subsystem, insn_rw_emulate_bits() only handles one sample, violating the multi-sample expectation of INSN_READ/WRITE and potentially causing kernel-infoleak.

Vulnerability

Overview

CVE-2025-39686 is a vulnerability in the Linux kernel's comedi (data acquisition) subsystem. The insn_rw_emulate_bits() function is used as a default handler for INSN_READ and INSN_WRITE instructions when a subdevice only provides an INSN_BITS handler. The bug is that this emulation function only processes a single sample, while the INSN_READ and INSN_WRITE instructions are designed to handle multiple samples as indicated by the insn->n field. This mismatch leads to incorrect behavior and, in the case of INSN_READ`, can cause the kernel to copy uninitialized data back to user space, triggering KASAN kernel-infoleak errors [1].

Exploitation

To exploit this vulnerability, an attacker would need to have access to a comedi device and be able to send INSN_READ or INSN_WRITE instructions with insn->n greater than 1 to a subdevice that lacks a dedicated handler for those instructions but does have an INSN_BITS handler. This is a local attack vector, as comedi devices are typically accessed via the /dev/comedi* interface, requiring either by a local user with appropriate permissions or through a process running on the system. No authentication is required beyond the ability to open and interact with the comedi device [1].

Impact

If successfully exploited, the vulnerability can lead to a kernel information leak (infoleak). The comedi core copies insn->n samples back to user space, and when insn_rw_emulate_bits() only fills one sample, the remaining samples contain uninitialized kernel memory. This can expose sensitive kernel data to an unprivileged user, potentially aiding in the exploitation of other vulnerabilities. The CVSS v3 score is 7.8 (High) reflects the potential for confidentiality impact [1].

Mitigation

The fix, committed to the Linux kernel stable tree, modifies insn_rw_emulate_bits() to either handle all insn->n samples or return an error, thus conforming to the expected behavior of INSN_READ and INSN_WRITE handlers [2][3][4]. Users should apply the latest kernel updates from their distribution or vendor. Siemens has also listed this CVE as affecting SIMATIC CN 4100 devices (all versions before V5.0) and recommends updating to V5.0 or later is recommended [1].

References
  1. SSA-032379
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

1