CVE-2025-68799
Description
In the Linux kernel, the following vulnerability has been resolved:
caif: fix integer underflow in cffrml_receive()
The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2.
If an attacker sends a malicious packet with a length field of 0 or 1 to an interface with FCS disabled, the subtraction causes an integer underflow.
This can lead to memory exhaustion and kernel instability, potential information disclosure if padding contains uninitialized kernel memory.
Fix this by validating that len >= 2 before performing the subtraction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer underflow in Linux kernel's CAIF protocol driver (cffrml_receive) allows memory exhaustion and memory exhaustion via crafted packets.
Vulnerability
The Linux kernel's CAIF (CA Interface) protocol implementation contains an integer underflow vulnerability in the cffrml_receive() function. When Frame Check Sequence (FCS) is disabled, the function subtracts 2 from a length field extracted from the packet header without first verifying that the length is at least 2. This flaw was introduced in the CAIF subsystem and affects the kernel's handling of CAIF frames [1][2].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted CAIF packet with a length field set to 0 or 1 to an interface that has FCS disabled. The missing validation causes an integer underflow when subtracting 2, resulting in a very large length value. This can lead to memory exhaustion as the kernel attempts to allocate or process an oversized buffer, and may also cause kernel instability [1][2].
Impact
Successful exploitation can lead to denial of service through memory exhaustion and kernel instability. Additionally, if padding data is involved, the underflow could potentially cause information disclosure by exposing uninitialized kernel memory. The vulnerability does not require authentication, but does require the ability to send CAIF frames to a CAIF interface with FCS disabled [1][2].
Mitigation
The fix has been applied in the Linux kernel stable tree via commits 785c7be63616 and 8a11ff0948b. Users should update to a kernel version containing these patches. No workaround is available other than disabling CAIF or ensuring FCS is enabled on all CAIF interfaces [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/21fdcc00656a60af3c7aae2dea8dd96abd35519cnvd
- git.kernel.org/stable/c/4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3nvd
- git.kernel.org/stable/c/785c7be6361630070790f6235b696da156ac71b3nvd
- git.kernel.org/stable/c/8a11ff0948b5ad09b71896b7ccc850625f9878d1nvd
- git.kernel.org/stable/c/c54091eec6fed19e94182aa05dd6846600a642f7nvd
- git.kernel.org/stable/c/f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691nvd
- git.kernel.org/stable/c/f818cd472565f8b0c2c409b040e0121c5cf8592cnvd
News mentions
0No linked articles in our index yet.