CVE-2025-39760

Vulnerability

Overview

The vulnerability resides in the Linux kernel's USB subsystem, specifically in the function usb_parse_ss_endpoint_companion(). The code checks the descriptor type before verifying the descriptor length, which allows a malformed USB descriptor to cause an out-of-bounds read beyond the allocated buffer. This flaw was introduced during the parsing of SuperSpeed endpoint companion descriptors and is fixed by reordering the checks to validate length first [2][3][4].

Exploitation

Conditions

An attacker with physical access to the system or the ability to connect a malicious USB device can exploit this vulnerability. No authentication is required; the attack is triggered during USB device enumeration when the kernel parses the device's descriptors. The attacker must supply a crafted USB descriptor that passes the type check but has an insufficient length, causing the kernel to read beyond the buffer.

Impact

Successful exploitation can lead to information disclosure (reading kernel memory) or a system crash (denial of service). The CVSS v3 score of 7.1 (High) reflects the potential for significant impact on confidentiality and availability. The vulnerability does not directly enable privilege escalation, but leaked memory may aid further attacks.

Mitigation

Patches have been applied to the Linux kernel stable tree and are available in commits referenced [2][3][4]. Affected products include Siemens SIMATIC CN 4100 (all versions before V5.0) as listed in the Siemens advisory [1]. Users should update to the latest kernel version or apply the specific fix. No workaround is documented; the only mitigation is to apply the patch.