CVE-2025-68217

Summary

In the Linux kernel, the following vulnerability has been resolved:

Input: pegasus-notetaker - fix potential out-of-bounds access

In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer.

Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1afca2b66aac7ac262d3511c68725e9e7053b40f < c4e746651bd74c38f581e1cf31651119a94de8cdaffected
LinuxLinux1afca2b66aac7ac262d3511c68725e9e7053b40f < 36bc92b838ff72f62f2c17751a9013b29ead2513affected
LinuxLinux1afca2b66aac7ac262d3511c68725e9e7053b40f < 015b719962696b793997e8deefac019f816aca77affected
LinuxLinux1afca2b66aac7ac262d3511c68725e9e7053b40f < 084264e10e2ae8938a54355123ad977eb9df56d6affected
LinuxLinux1afca2b66aac7ac262d3511c68725e9e7053b40f < d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479affected
LinuxLinux1afca2b66aac7ac262d3511c68725e9e7053b40f < 9ab67eff6d654e34ba6da07c64761aa87c2a3c26affected
LinuxLinux1afca2b66aac7ac262d3511c68725e9e7053b40f < 763c3f4d2394a697d14af1335d3bb42f05c9409faffected
LinuxLinux1afca2b66aac7ac262d3511c68725e9e7053b40f < 69aeb507312306f73495598a055293fa749d454eaffected
LinuxLinux4.8affected
LinuxLinux0 < 4.8unaffected
LinuxLinux5.4.302 <= 5.4.*unaffected
LinuxLinux5.10.247 <= 5.10.*unaffected
LinuxLinux5.15.197 <= 5.15.*unaffected
LinuxLinux6.1.159 <= 6.1.*unaffected
LinuxLinux6.6.118 <= 6.6.*unaffected
LinuxLinux6.12.60 <= 6.12.*unaffected
LinuxLinux6.17.10 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References