CVE-2025-68352

Vulnerability

In the Linux kernel's SPI driver for CH341 devices (spi-ch341), the function ch341_transfer_one contains an out-of-bounds memory access flaw. The len variable is computed as min(32, trans->len + 1), which includes a 1-byte command header. When copying data from trans->tx_buf to ch341->tx_buf + 1, using len is used as the copy length, causing two issues: an out-of-bounds read from trans->tx_buf (which has size trans->len, i.e., len - 1) and an out-of-bounds write to ch341->tx_buf if len equals CH341_PACKET_LENGTH (32), as writing 32 bytes to ch341->tx_buf + 1 overflows the buffer [1].

Exploitation

An attacker with the ability to send a crafted SPI transfer to a CH341 device could trigger this bug. The vulnerability is reachable without authentication if the attacker can interact with the SPI device through the kernel interface. The prerequisite is that the system has the CH341 SPI driver loaded and the attacker can issue a transfer with a length that causes len to be 32, leading to the overflow.

Impact

Successful exploitation could result in memory corruption, potentially leading to a system crash or, in some cases, arbitrary code execution. The out-of-bounds write can corrupt kernel memory, which may be leveraged for privilege escalation or denial of service.

Mitigation

The fix has been applied in the Linux kernel stable tree. The commit ea1e43966cd03098fcd5f0d72e6c2901d45fa08d corrects the copy length to len - 1 [1]. Users should update their kernel to include this patch. No workaround is available; updating is the recommended action.