CVE-2025-40345

Root

Cause

The sddr55 USB storage driver in the Linux kernel lacked a bounds check on the new_pba value received from a storage device after a write operation. The driver derives the block count from info->capacity, and if new_pba exceeds that count, the driver writes past the end of the pba_to_lba[] array, corrupting heap memory [1][2][3][4].

Exploitation

An attacker with physical USB access or the ability to impersonate a storage device can send a crafted status packet containing an out-of-bounds new_pba value during a write transfer. No special privileges are required beyond the ability to connect a malicious device [1]. The vulnerability is reachable when the kernel's USB storage subsystem processes the write response.

Impact

Successful exploitation leads to heap memory corruption. This could potentially allow an attacker to crash the system or, under certain conditions, achieve arbitrary code execution within the kernel context [1]. The severity is reflected in the discovery being made via an automated vulnerability detection engine.

Mitigation

The fix has been included in the Linux kernel stable tree [1][2][3][4]. System administrators should update their kernel to a version containing the commit that rejects out-of-range new_pba values. No workaround is available other than applying the patch or disallowing use of the affected driver.