CVE-2025-39757
N/A
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Validate UAC3 cluster segment descriptors
UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 11785ef53228d23ec386f5fe4a34601536f0c891 < 799c06ad4c9c790c265e8b6b94947213f1fb389c | affected |
| Linux | Linux | 11785ef53228d23ec386f5fe4a34601536f0c891 < 786571b10b1ae6d90e1242848ce78ee7e1d493c4 | affected |
| Linux | Linux | 11785ef53228d23ec386f5fe4a34601536f0c891 < 275e37532e8ebe25e8a4069b2d9f955bfd202a46 | affected |
| Linux | Linux | 11785ef53228d23ec386f5fe4a34601536f0c891 < 47ab3d820cb0a502bd0074f83bb3cf7ab5d79902 | affected |
| Linux | Linux | 11785ef53228d23ec386f5fe4a34601536f0c891 < 1034719fdefd26caeec0a44a868bb5a412c2c1a5 | affected |
| Linux | Linux | 11785ef53228d23ec386f5fe4a34601536f0c891 < ae17b3b5e753efc239421d186cd1ff06e5ac296e | affected |
| Linux | Linux | 11785ef53228d23ec386f5fe4a34601536f0c891 < dfdcbcde5c20df878178245d4449feada7d5b201 | affected |
| Linux | Linux | 11785ef53228d23ec386f5fe4a34601536f0c891 < 7ef3fd250f84494fb2f7871f357808edaa1fc6ce | affected |
| Linux | Linux | 11785ef53228d23ec386f5fe4a34601536f0c891 < ecfd41166b72b67d3bdeb88d224ff445f6163869 | affected |
| Linux | Linux | 4.19 | affected |
| Linux | Linux | 0 < 4.19 | unaffected |
| Linux | Linux | 5.4.297 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.241 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.190 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.149 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.103 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.43 <= 6.12.* | unaffected |
| Linux | Linux | 6.15.11 <= 6.15.* | unaffected |
| Linux | Linux | 6.16.2 <= 6.16.* | unaffected |
| Linux | Linux | 6.17 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/799c06ad4c9c790c265e8b6b94947213f1fb389c
- https://git.kernel.org/stable/c/786571b10b1ae6d90e1242848ce78ee7e1d493c4
- https://git.kernel.org/stable/c/275e37532e8ebe25e8a4069b2d9f955bfd202a46
- https://git.kernel.org/stable/c/47ab3d820cb0a502bd0074f83bb3cf7ab5d79902
- https://git.kernel.org/stable/c/1034719fdefd26caeec0a44a868bb5a412c2c1a5
- https://git.kernel.org/stable/c/ae17b3b5e753efc239421d186cd1ff06e5ac296e
- https://git.kernel.org/stable/c/dfdcbcde5c20df878178245d4449feada7d5b201
- https://git.kernel.org/stable/c/7ef3fd250f84494fb2f7871f357808edaa1fc6ce
- https://git.kernel.org/stable/c/ecfd41166b72b67d3bdeb88d224ff445f6163869
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.