CVE-2025-21738

MEDIUM EPSS 9.0%
Published Feb 27, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Feb 27, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ata: libata-sff: Ensure that we cannot write outside the allocated buffer reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to write outside the allocated buffer, overwriting random memory. While a ATA device is supposed to abort a ATA_NOP command, there does seem to be a bug either in libata-sff or QEMU, where either this status is not set, or the status is cleared before read by ata_sff_hsm_move(). Anyway, that is most likely a separate bug. Looking at __atapi_pio_bytes(), it already has a safety check to ensure that __atapi_pio_bytes() cannot write outside the allocated buffer. Add a similar check to ata_pio_sector(), such that also ata_pio_sector() cannot write outside the allocated buffer.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
9.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 4

VendorProductVersionRange
linuxlinux_kernel* <6.1.129
linuxlinux_kernel*≥6.2  –  <6.6.78
linuxlinux_kernel*≥6.7  –  <6.12.14
linuxlinux_kernel*≥6.13  –  <6.13.3

References 6

  • git.kernel.org https://git.kernel.org/stable/c/0a17a9944b8d89ef03946121241870ac53ddaf45
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/0dd5aade301a10f4b329fa7454fdcc2518741902
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6e74e53b34b6dec5a50e1404e2680852ec6768d2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d5e6e3000309359eae2a17117aa6e3c44897bf6c
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0a17a9944b8d89ef03946121241870ac53ddaf45
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/0dd5aade301a10f4b329fa7454fdcc2518741902
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6e74e53b34b6dec5a50e1404e2680852ec6768d2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d5e6e3000309359eae2a17117aa6e3c44897bf6c
    Patch