CVE-2025-21704

CVE-2025-21704 affects the Linux kernel's CDC-ACM USB driver, which handles communications for abstract-control-model modems over USB. The vulnerability arises from a failure to check the control transfer buffer size before accessing it when processing fragmented notifications. If the first fragment is shorter than the struct usb_cdc_notification, the driver reads lengths from memory outside the received data, leading to incorrect expected_size calculations that can wrap around and cause memory corruption. This issue has existed since the start of the kernel's git history but only results in corruption following commit ea2583529cd1, which introduced fragmented notification reassembly.

A local attacker with low privileges can exploit this vulnerability by connecting a specially crafted USB device that sends malformed fragmented CDC notifications. Exploitation requires the acm_ctrl_irq function to execute, which only occurs after userspace has opened /dev/ttyACM*, potentially triggered automatically by ModemManager based on the USB device's vendor and product IDs and other interfaces. Successful exploitation enables memory corruption, granting high impacts on confidentiality, integrity, and availability, as reflected in the CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-787 (Out-of-bounds Write).

Mitigation requires updating to a patched Linux kernel version. Relevant stable branch patches are available at the following commit URLs: https://git.kernel.org/stable/c/383d516a0ebc8641372b521c8cb717f0f1834831, https://git.kernel.org/stable/c/6abb510251e75f875797d8983a830e6731fa281c, https://git.kernel.org/stable/c/7828e9363ac4d23b02419bf2a45b9f1d9fb35646, https://git.kernel.org/stable/c/871619c2b78fdfe05afb4e8ba548678687beb812, and https://git.kernel.org/stable/c/90dd2f1b7342b9a671a5ea4160f408037b92b118. These patches log an error and discard invalid notifications when the buffer is too short, preventing the unsafe access.