HIGH
caif Frame Underflow
CVE-2025-68799
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrml_receive() The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2. If an attacker sends a malicious packet with a length field of 0 or 1 to an interface with FCS disabled, the subtraction causes an integer underflow. This can lead to memory exhaustion and kernel instability, potential information disclosure if padding contains uninitialized kernel memory. Fix this by validating that len >= 2 before performing the subtraction.
02KernelScan AI Analysis
Risk summary
Attackers in an adjacent network position (e.g., a compromised or malicious CAIF peer/modem) can send malformed CAIF packets to trigger an integer underflow, causing memory exhaustion and kernel crashes. Systems using the CAIF protocol with FCS disabled are vulnerable to denial of service and potential information disclosure through uninitialized kernel memory.
Vulnerability analysis
The cffrml_receive() function in the CAIF framing layer extracts a length field from incoming packets and subtracts 2 when FCS is disabled, without validating that the length is at least 2. An attacker can send packets with a length field of 0 or 1, causing an integer underflow when the value is used, leading to extremely large allocation sizes that exhaust memory or expose uninitialized kernel data. The fix adds validation to ensure len >= 2 before subtraction and returns -EPROTO for invalid frames. This is reachable from adjacent attackers who can inject raw CAIF frames into the modem-host interface.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.248 | f407f1c9f45b |
| 5.15 | 5.15.198 | c54091eec6fe |
| 6.1 | 6.1.160 | 785c7be63616 |
| 6.12 | 6.12.64 | 4ec29714aa4e |
| 6.18 | 6.18.3 | 21fdcc00656a |
| 6.6 | 6.6.120 | f818cd472565 |
| mainline | 6.19 | 8a11ff0948b5 |