CVE-2025-38497

July 29, 2025, 2:14 p.m.

None
No Score

Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Fix OOB read on empty string write When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1] before validating that the length 'l' is greater than zero. This patch fixes the vulnerability by adding a check at the beginning of os_desc_qw_sign_store() and webusb_landingPage_store() to handle the zero-length input case gracefully by returning immediately.

Product(s) Impacted

Vendor Product Versions
Linux
  • Linux Kernel
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o linux linux_kernel / / / / / / / /

References

https://git.kernel.org/stable/c/22b7897c289cc25d99c603f5144096142a30d897
https://git.kernel.org/stable/c/2798111f8e504ac747cce911226135d50b8de468
https://git.kernel.org/stable/c/3014168731b7930300aab656085af784edc861f6
https://git.kernel.org/stable/c/58bdd5160184645771553ea732da5c2887fc9bd1
https://git.kernel.org/stable/c/783ea37b237a9b524f1e5ca018ea17d772ee0ea0

Tags

416baaa9-dc9f-4396-8d5f-8c081fb06d67
2025-07-28
CVE-2025-38497

Timeline

Published: July 28, 2025, 12:15 p.m.
Last Modified: July 29, 2025, 2:14 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

416baaa9-dc9f-4396-8d5f-8c081fb06d67

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.