CVE-2025-21742

High

Published: 27 February 2025

Published

27 February 2025

Modified

01 October 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0001 1.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: use static NDP16 location in URB Original code allowed for the start of NDP16 to be anywhere within the URB based on the `wNdpIndex` value in NTH16. Only the start position of NDP16 was checked, so it was possible for even the fixed-length part of NDP16 to extend past the end of URB, leading to an out-of-bounds read. On iOS devices, the NDP16 header always directly follows NTH16. Rely on and check for this specific format. This, along with NCM-specific minimal URB length check that already exists, will ensure that the fixed-length part of NDP16 plus a set amount of DPEs fit within the URB. Note that this commit alone does not fully address the OoB read. The limit on the amount of DPEs needs to be enforced separately.

Security Summary

CVE-2025-21742 is an out-of-bounds read vulnerability in the Linux kernel's usbnet ipheth driver, which handles USB Ethernet over USB for iOS devices. The issue stems from the original code allowing the NDP16 header to start at any position within a USB Request Block (URB) based on the wNdpIndex value in the NTH16 header, with only the start position being checked. This permitted the fixed-length portion of the NDP16 header to extend beyond the end of the URB buffer, resulting in an out-of-bounds read. The vulnerability is classified under CWE-125 and carries a CVSS v3.1 base score of 7.1.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact confidentiality violations through unauthorized memory reads and high-impact availability disruptions, such as kernel crashes, while integrity remains unaffected due to the read-only nature of the flaw.

The referenced kernel commit patches mitigate the issue by enforcing a static NDP16 location directly following the NTH16 header, as observed on iOS devices, combined with existing NCM-specific minimum URB length checks to ensure the fixed NDP16 portion and a set number of DPEs fit within the buffer. However, the patches note that this change alone does not fully resolve the out-of-bounds read, as a separate enforcement of the DPE count limit is required.

Details

CWE(s): CWE-125

Affected Products

linux

linux kernel

6.5 — 6.6.78 · 6.7 — 6.12.14 · 6.13 — 6.13.3

References

https://git.kernel.org/stable/c/2b619445dcb6dab97d8ed033fb57225aca1288c4
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/86586dcb75cb8fd062a518aca8ee667938b91efb
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8fb062178e1ce180e2cfdc9abc83a1b9fea381ca
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cf1ac7f7cf601ac31d1580559c002b5e37b733b7
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67