{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21742", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.757Z", "datePublished": "2025-02-27T02:12:16.207Z", "dateUpdated": "2025-03-24T15:39:39.748Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-03-24T15:39:39.748Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: ipheth: use static NDP16 location in URB\n\nOriginal code allowed for the start of NDP16 to be anywhere within the\nURB based on the `wNdpIndex` value in NTH16. Only the start position of\nNDP16 was checked, so it was possible for even the fixed-length part\nof NDP16 to extend past the end of URB, leading to an out-of-bounds\nread.\n\nOn iOS devices, the NDP16 header always directly follows NTH16. Rely on\nand check for this specific format.\n\nThis, along with NCM-specific minimal URB length check that already\nexists, will ensure that the fixed-length part of NDP16 plus a set\namount of DPEs fit within the URB.\n\nNote that this commit alone does not fully address the OoB read.\nThe limit on the amount of DPEs needs to be enforced separately."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/usb/ipheth.c"], "versions": [{"version": "a2d274c62e44b1995c170595db3865c6fe701226", "lessThan": "8fb062178e1ce180e2cfdc9abc83a1b9fea381ca", "status": "affected", "versionType": "git"}, {"version": "a2d274c62e44b1995c170595db3865c6fe701226", "lessThan": "cf1ac7f7cf601ac31d1580559c002b5e37b733b7", "status": "affected", "versionType": "git"}, {"version": "a2d274c62e44b1995c170595db3865c6fe701226", "lessThan": "2b619445dcb6dab97d8ed033fb57225aca1288c4", "status": "affected", "versionType": "git"}, {"version": "a2d274c62e44b1995c170595db3865c6fe701226", "lessThan": "86586dcb75cb8fd062a518aca8ee667938b91efb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/usb/ipheth.c"], "versions": [{"version": "6.5", "status": "affected"}, {"version": "0", "lessThan": "6.5", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.78", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.14", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.3", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/8fb062178e1ce180e2cfdc9abc83a1b9fea381ca"}, {"url": "https://git.kernel.org/stable/c/cf1ac7f7cf601ac31d1580559c002b5e37b733b7"}, {"url": "https://git.kernel.org/stable/c/2b619445dcb6dab97d8ed033fb57225aca1288c4"}, {"url": "https://git.kernel.org/stable/c/86586dcb75cb8fd062a518aca8ee667938b91efb"}], "title": "usbnet: ipheth: use static NDP16 location in URB", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "620D4308-FEF2-4D7F-84A9-21E66BDB5A28", "versionEndExcluding": "6.6.78", "versionStartIncluding": "6.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "033BB7EE-C9A2-45EA-BAC9-87BB9D951BCD", "versionEndExcluding": "6.12.14", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E92CEE3-1FC3-4AFC-A513-DEDBA7414F00", "versionEndExcluding": "6.13.3", "versionStartIncluding": "6.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: ipheth: use static NDP16 location in URB\n\nOriginal code allowed for the start of NDP16 to be anywhere within the\nURB based on the `wNdpIndex` value in NTH16. Only the start position of\nNDP16 was checked, so it was possible for even the fixed-length part\nof NDP16 to extend past the end of URB, leading to an out-of-bounds\nread.\n\nOn iOS devices, the NDP16 header always directly follows NTH16. Rely on\nand check for this specific format.\n\nThis, along with NCM-specific minimal URB length check that already\nexists, will ensure that the fixed-length part of NDP16 plus a set\namount of DPEs fit within the URB.\n\nNote that this commit alone does not fully address the OoB read.\nThe limit on the amount of DPEs needs to be enforced separately."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usbnet: ipheth: usar ubicaci\u00f3n est\u00e1tica de NDP16 en URB El c\u00f3digo original permit\u00eda que el inicio de NDP16 estuviera en cualquier lugar dentro de URB seg\u00fan el valor `wNdpIndex` en NTH16. Solo se comprob\u00f3 la posici\u00f3n de inicio de NDP16, por lo que era posible que incluso la parte de longitud fija de NDP16 se extendiera m\u00e1s all\u00e1 del final de URB, lo que generaba una lectura fuera de los l\u00edmites. En los dispositivos iOS, el encabezado NDP16 siempre sigue directamente a NTH16. Conf\u00ede en este formato espec\u00edfico y compru\u00e9belo. Esto, junto con la comprobaci\u00f3n de longitud m\u00ednima de URB espec\u00edfica de NCM que ya existe, garantizar\u00e1 que la parte de longitud fija de NDP16 m\u00e1s una cantidad establecida de DPE quepan dentro de URB. Tenga en cuenta que esta confirmaci\u00f3n por s\u00ed sola no aborda por completo la lectura OoB. El l\u00edmite en la cantidad de DPE debe aplicarse por separado."}], "id": "CVE-2025-21742", "lastModified": "2025-03-06T12:21:35.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-27T03:15:14.830", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2b619445dcb6dab97d8ed033fb57225aca1288c4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/86586dcb75cb8fd062a518aca8ee667938b91efb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8fb062178e1ce180e2cfdc9abc83a1b9fea381ca"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cf1ac7f7cf601ac31d1580559c002b5e37b733b7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: usbnet: ipheth: use static NDP16 location in URB", "id": "2348567", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348567"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nusbnet: ipheth: use static NDP16 location in URB\nOriginal code allowed for the start of NDP16 to be anywhere within the\nURB based on the `wNdpIndex` value in NTH16. Only the start position of\nNDP16 was checked, so it was possible for even the fixed-length part\nof NDP16 to extend past the end of URB, leading to an out-of-bounds\nread.\nOn iOS devices, the NDP16 header always directly follows NTH16. Rely on\nand check for this specific format.\nThis, along with NCM-specific minimal URB length check that already\nexists, will ensure that the fixed-length part of NDP16 plus a set\namount of DPEs fit within the URB.\nNote that this commit alone does not fully address the OoB read.\nThe limit on the amount of DPEs needs to be enforced separately."], "name": "CVE-2025-21742", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21742\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21742\nhttps://lore.kernel.org/linux-cve-announce/2025022600-CVE-2025-21742-7d50@gregkh/T"], "threat_severity": "Moderate"}