CVE-2025-40004

Vulnerability

Description

A buffer overflow vulnerability exists in the USB 9pfs transport layer of the Linux kernel. The root cause is an inconsistency between the size validation performed during packet header parsing and the actual data copying in the completion handler. Specifically, usb9pfs_rx_header() validates only the declared size in the packet header, while usb9pfs_rx_complete() uses req->actual (the actual number of bytes received) for a memcpy operation. This mismatch allows an attacker to craft packets with a small declared size (bypassing the header validation) but a large actual payload, triggering a heap buffer overflow when the data is copied.

Exploitation

To exploit this vulnerability, an attacker must be able to act as a malicious USB host connected to a system using the 9pfs USB transport. No authentication is required beyond physical or logical USB access. The attacker sends a specially crafted USB packet where the header declares a small size, but the actual transmitted data is larger than the allocated buffer. The kernel's USB subsystem delivers the full payload to usb9pfs_rx_complete(), which then copies the oversized data into a heap buffer, causing an overflow.

Impact

A successful exploit allows the attacker to corrupt heap memory, potentially leading to arbitrary code execution in the kernel context, denial of service (system crash), or information disclosure. The severity is high, as the vulnerability can be triggered from a USB device without requiring elevated privileges on the target system.

Mitigation

The fix adds validation in usb9pfs_rx_complete() to ensure that req->actual does not exceed the buffer capacity before copying data. The patch has been applied to the Linux kernel stable tree in commits [1], [2], and [3]. Users should update their kernel to a version containing these fixes. No workaround is available; applying the kernel update is the recommended mitigation.