CVE-2025-38249

ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()

Severity Score

7.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from
snd_usb_ctl_msg() is used directly for memory allocation without
validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor
and its fields are accessed without verifying that the buffer
is large enough. If the device returns a smaller than expected
length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for
uac3_cluster_header_descriptor.

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than expected length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for uac3_cluster_header_descriptor.

Oleksii Oleksenko, Cedric Fournet, Jana Hofmann, Boris K\xF6pf, Stavros Volos, and Flavien Solt discovered that some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information. A local attacker could possibly use this to expose sensitive information. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-07-09 CVE Published
2025-11-03 CVE Updated
2025-11-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/9a2fe9b801f585baccf8352d82839dcd54b300cf	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/24ff7d465c4284529bbfa207757bffb6f44b6403	2025-07-17
https://git.kernel.org/stable/c/2dc1c3edf67abd30c757f8054a5da61927cdda21	2025-07-17
https://git.kernel.org/stable/c/c3fb926abe90d86f5e3055e0035f04d9892a118b	2025-07-10
https://git.kernel.org/stable/c/6eb211788e1370af52a245d4d7da35c374c7b401	2025-07-06
https://git.kernel.org/stable/c/74fcb3852a2f579151ce80b9ed96cd916ba0d5d8	2025-07-06
https://git.kernel.org/stable/c/0ee87c2814deb5e42921281116ac3abcb326880b	2025-07-06
https://git.kernel.org/stable/c/11e740dc1a2c8590eb7074b5c4ab921bb6224c36	2025-07-06
https://git.kernel.org/stable/c/fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a	2025-06-23

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.17 < 5.4.296 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.17 < 5.4.296"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.17 < 5.10.240 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.17 < 5.10.240"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.17 < 5.15.187 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.17 < 5.15.187"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.17 < 6.1.143 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.17 < 6.1.143"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.17 < 6.6.96 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.17 < 6.6.96"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.17 < 6.12.36 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.17 < 6.12.36"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.17 < 6.15.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.17 < 6.15.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.17 < 6.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.17 < 6.16"		en		Affected