CVE-2025-39684

MEDIUM EPSS 5.8%
Published Sep 5, 20259mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Sep 5, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole `insn->n` samples, so that there is an information leak. There is a similar syzbot report for `do_insnlist_ioctl()`, although it does not have a reproducer for it at the time of writing. One culprit is `insn_rw_emulate_bits()` which is used as the handler for `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have a specific handler for that instruction, but do have an `INSN_BITS` handler. For `INSN_READ` it only fills in at most 1 sample, so if `insn->n` is greater than 1, the remaining `insn->n - 1` samples copied to userspace will be uninitialized kernel data. Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It never returns an error, even if it fails to fill the buffer. Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure that uninitialized parts of the allocated buffer are zeroed before handling each instruction. Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not always necessary to clear the whole buffer.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
5.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-908

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥2.6.29  –  <5.15.190
linuxlinux_kernel*≥5.16  –  <6.1.149
linuxlinux_kernel*≥6.2  –  <6.6.103
linuxlinux_kernel*≥6.7  –  <6.12.44
linuxlinux_kernel*≥6.13  –  <6.16.4
linuxlinux_kernel6.17any
linuxlinux_kernel6.17any
debiandebian_linux11.0any

References 8

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-032379.html
  • git.kernel.org https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
    Third Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a
    Patch