Home

CVE-2025-22003

Description

In the Linux kernel, the following vulnerability has been resolved:can: ucan: fix out of bound read in strscpy() sourceCommit 7fdaf8966aae (can: ucan: use strscpy() to instead of strncpy())unintentionally introduced a one byte out of bound read on strscpy()ssource argument (which is kind of ironic knowing that strscpy() is meantto be a more secure alternative :)).Lets consider below buffers: dest[len + 1]; /* will be NUL terminated */ src[len]; /* may not be NUL terminated */When doing: strncpy(dest, src, len); dest[len] = 0;strncpy() will read up to len bytes from src.On the other hand: strscpy(dest, src, len + 1);will read up to len + 1 bytes from src, that is to say, an out of boundread of one byte will occur on src if it is not NUL terminated. Notethat the src[len] byte is never copied, but strscpy() still needs toread it to check whether a truncation occurred or not.This exact pattern happened in ucan.The root cause is that the source is not NUL terminated. Instead ofdoing a copy in a local buffer, directly NUL terminate it as soon asusb_control_msg() returns. With this, the local firmware_str[] variablecan be removed.On top of this do a couple refactors: - ucan_ctl_payload->raw is only used for the firmware string, so rename it to ucan_ctl_payload->fw_str and change its type from u8 to char. - ucan_device_request_in() is only used to retrieve the firmware string, so rename it to ucan_get_fw_str() and refactor it to make it directly handle all the string termination logic.

Risk Information

Base Score
5.5
MODERATE
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
0.077

Associated Vulnerability

VulnerabilityOS Platform
SUSE-SU-2025:01614-1(Legacy Module 15 SP6) reiserfs-kmp-default-debuginfo-6.4.0-150600.23.50.1.x86_64.rpmLinux
SUSE-SU-2025:01614-1(Legacy Module 15 SP6) reiserfs-kmp-default-6.4.0-150600.23.50.1.x86_64.rpmLinux
SUSE-SU-2025:01614-1(Development Tools Module 15 SP6) kernel-syms-6.4.0-150600.23.50.1.x86_64.rpmLinux
SUSE-SU-2025:01614-1(Development Tools Module 15 SP6) kernel-source-6.4.0-150600.23.50.1.noarch.rpmLinux
SUSE-SU-2025:01614-1(Development Tools Module 15 SP6) kernel-obs-build-debugsource-6.4.0-150600.23.50.1.x86_64.rpmLinux
SUSE-SU-2025:01614-1(Development Tools Module 15 SP6) kernel-obs-build-6.4.0-150600.23.50.1.x86_64.rpmLinux
SUSE-SU-2025:01614-1(Basesystem Module 15 SP6) kernel-macros-6.4.0-150600.23.50.1.noarch.rpmLinux
SUSE-SU-2025:01614-1(Development Tools Module 15 SP6) kernel-docs-6.4.0-150600.23.50.1.noarch.rpmLinux
SUSE-SU-2025:01614-1(Basesystem Module 15 SP6) kernel-devel-6.4.0-150600.23.50.1.noarch.rpmLinux
SUSE-SU-2025:01614-1(Basesystem Module 15 SP6) kernel-default-devel-debuginfo-6.4.0-150600.23.50.1.x86_64.rpmLinux
SUSE-SU-2025:01614-1(Basesystem Module 15 SP6) kernel-default-devel-6.4.0-150600.23.50.1.x86_64.rpmLinux
SUSE-SU-2025:01614-1(Basesystem Module 15 SP6) kernel-default-debugsource-6.4.0-150600.23.50.1.x86_64.rpmLinux
SUSE-SU-2025:01614-1(Basesystem Module 15 SP6) kernel-default-debuginfo-6.4.0-150600.23.50.1.x86_64.rpmLinux
SUSE-SU-2025:01614-1(Basesystem Module 15 SP6) kernel-default-base-6.4.0-150600.23.50.1.150600.12.22.1.x86_64.rpmLinux
SUSE-SU-2025:01614-1(Basesystem Module 15 SP6) kernel-default-6.4.0-150600.23.50.1.x86_64.rpmLinux
SUSE-SU-2025:01707-1(Public Cloud Module 15 SP6) kernel-syms-azure-6.4.0-150600.8.37.1.x86_64.rpmLinux
SUSE-SU-2025:01707-1(Public Cloud Module 15 SP6) kernel-source-azure-6.4.0-150600.8.37.1.noarch.rpmLinux
SUSE-SU-2025:01707-1(Public Cloud Module 15 SP6) kernel-devel-azure-6.4.0-150600.8.37.1.noarch.rpmLinux
SUSE-SU-2025:01707-1(Public Cloud Module 15 SP6) kernel-azure-devel-debuginfo-6.4.0-150600.8.37.1.x86_64.rpmLinux
SUSE-SU-2025:01707-1(Public Cloud Module 15 SP6) kernel-azure-devel-6.4.0-150600.8.37.1.x86_64.rpmLinux
SUSE-SU-2025:01707-1(Public Cloud Module 15 SP6) kernel-azure-debugsource-6.4.0-150600.8.37.1.x86_64.rpmLinux
SUSE-SU-2025:01707-1(Public Cloud Module 15 SP6) kernel-azure-debuginfo-6.4.0-150600.8.37.1.x86_64.rpmLinux
SUSE-SU-2025:01707-1(Public Cloud Module 15 SP6) kernel-azure-6.4.0-150600.8.37.1.x86_64.rpmLinux
Linux kernel (USN-7605-1) linux-image-6.11.0-1011-realtime_6.11.0-1011.11_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-6.11.0-1015-aws_6.11.0-1015.16_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-6.11.0-1016-gcp_6.11.0-1016.16_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-6.11.0-1016-gcp_6.11.0-1016.16~24.04.1_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-6.11.0-1017-oracle_6.11.0-1017.18_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-6.11.0-28-generic_6.11.0-28.28_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-6.11.0-28-generic_6.11.0-28.28~24.04.1_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-aws_6.11.0-1015.16_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-gcp_6.11.0-1016.16_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-gcp_6.11.0-1016.16~24.04.1_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-generic_6.11.0-28.28_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-generic-hwe-24.04_6.11.0-28.28~24.04.1_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-oracle_6.11.0-1017.18_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-realtime_6.11.0-1011.11_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-virtual_6.11.0-28.28_amd64.debLinux
Linux kernel (USN-7605-1) linux-image-virtual-hwe-24.04_6.11.0-28.28~24.04.1_amd64.debLinux
Linux kernel for OEM systems (USN-7606-1) linux-image-6.11.0-1024-oem_6.11.0-1024.24_amd64.debLinux
Linux kernel for OEM systems (USN-7606-1) linux-image-oem-24.04b_6.11.0-1024.24_amd64.debLinux
Linux low latency kernel (USN-7605-2) linux-image-6.11.0-1015-lowlatency_6.11.0-1015.16_amd64.debLinux
Linux low latency kernel (USN-7605-2) linux-image-6.11.0-1015-lowlatency_6.11.0-1015.16~24.04.2_amd64.debLinux
Linux low latency kernel (USN-7605-2) linux-image-lowlatency_6.11.0-1015.16_amd64.debLinux
Linux low latency kernel (USN-7605-2) linux-image-lowlatency-6.11_6.11.0-1015.16~24.04.2_amd64.debLinux
Linux low latency kernel (USN-7605-2) linux-image-lowlatency-hwe-24.04_6.11.0-1015.16~24.04.2_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7628-1) USN-7628-1 linux-image-6.11.0-1018-azure_6.11.0-1018.18_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7628-1) USN-7628-1 linux-image-6.11.0-1018-azure_6.11.0-1018.18~24.04.1_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7628-1) USN-7628-1 linux-image-6.11.0-1018-azure-fde_6.11.0-1018.18_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7628-1) USN-7628-1 linux-image-6.11.0-1018-azure-fde_6.11.0-1018.18~24.04.1_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7628-1) USN-7628-1 linux-image-azure_6.11.0-1018.18_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7628-1) USN-7628-1 linux-image-azure_6.11.0-1018.18~24.04.1_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7628-1) USN-7628-1 linux-image-azure-6.11_6.11.0-1018.18_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7628-1) USN-7628-1 linux-image-azure-6.11_6.11.0-1018.18~24.04.1_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7628-1) USN-7628-1 linux-image-azure-fde_6.11.0-1018.18_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7628-1) USN-7628-1 linux-image-azure-fde_6.11.0-1018.18~24.04.1_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7628-1) USN-7628-1 linux-image-azure-fde-6.11_6.11.0-1018.18_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7628-1) USN-7628-1 linux-image-azure-fde-6.11_6.11.0-1018.18~24.04.1_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7628-1) USN-7628-1 linux-image-azure-fde-edge_6.11.0-1018.18~24.04.1_amd64.debLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234