CVE-2025-68750
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: potential integer overflow in usbg_make_tpg()
The variable tpgt in usbg_make_tpg() is defined as unsigned long and is assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't tried to trigger it myself, but it is possible to trigger it by calling usbg_make_tpg() with a large value for tpgt.
I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the relevant code accordingly.
This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential memory corruption").
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in Linux USB gadget target port group assignment (u16 field assigned from unsigned long) may allow memory corruption.
Root
Cause In the Linux kernel's USB gadget target subsystem, the usbg_make_tpg() function declares the tpgt variable as unsigned long but assigns it to tpg->tport_tpgt, which is a u16. This type mismatch can cause an integer overflow when tpgt exceeds the maximum value representable by a u16 (65535). The issue is similar to a previously fixed vulnerability in vhost/scsi (commit 59c816c1f24d) [1].
Exploitability
An attacker with the ability to call usbg_make_tpg() with a crafted large tpgt value could trigger the overflow. In practice, this requires local access or the ability to load and interact with the USB gadget configfs interface. No authentication is explicitly required beyond the ability to issue the relevant configfs operations.
Impact
A successful integer overflow leads to assigning a truncated or unexpected value to the target port group identifier. This can cause memory corruption or unexpected behavior in subsequent operations that rely on tport_tpgt as an index or identifier, potentially leading to a system crash or privilege escalation. The vulnerability was discovered and fixed with a patch that aligns the variable type [1, 2, 3, 4].
Mitigation
The fix has been applied to the Linux kernel stable tree. Affected versions should be updated to include commits from the published patches [1][2][3][4]. Users are advised to apply the latest kernel updates from their distribution.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24nvd
- git.kernel.org/stable/c/153874010354d050f62f8ae25cbb960c17633dc5nvd
- git.kernel.org/stable/c/358d5ba08f1609c34a054aed88c431844d09705anvd
- git.kernel.org/stable/c/603a83e5fee38a950bfcfb2f36449311fa00a474nvd
- git.kernel.org/stable/c/620a5e1e84a3a7004270703a118d33eeb1c0f368nvd
- git.kernel.org/stable/c/6722e080b5b39ab7471386c73d0c1b39572f943cnvd
- git.kernel.org/stable/c/6f77e344515b5258edb3988188311464209b1c7cnvd
- git.kernel.org/stable/c/a33f507f36d5881f602dab581ab0f8d22b49762cnvd
News mentions
0No linked articles in our index yet.