CVE-2025-21735
Published: 27 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Add bounds checking in nci_hci_create_pipe() The "pipe" variable is a u8 which comes from the network. If it's more than 127, then it results in memory corruption in the caller, nci_hci_connect_gate().
Security Summary
CVE-2025-21735 is a vulnerability in the Linux kernel's NFC NCI (Near Field Communication Controller Interface) subsystem, specifically in the nci_hci_create_pipe() function. The issue stems from a lack of bounds checking on a u8 "pipe" variable sourced from the network; values exceeding 127 trigger memory corruption in the caller function, nci_hci_connect_gate(). This out-of-bounds write (CWE-787) affects Linux kernel versions prior to the application of the relevant stable patches and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by supplying a crafted "pipe" value over an NFC connection, leading to memory corruption. Successful exploitation could allow arbitrary code execution, data tampering, or system crashes, with high impacts on confidentiality, integrity, and availability due to the unbounded write.
Mitigation involves applying kernel patches that add bounds checking to nci_hci_create_pipe(), as detailed in the following stable branch commits: 10b3f947b609713e04022101f492d288a014ddfa, 110b43ef05342d5a11284cc8b21582b698b4ef1c, 172cdfc3a5ea20289c58fb73dadc6fd4a8784a4e, 2ae4bade5a64d126bd18eb66bd419005c5550218, and 59c7ed20217c0939862fbf8145bc49d5b3a13f4f. Security practitioners should update affected Linux kernels promptly, particularly those with NFC functionality enabled.
Details
- CWE(s)