HIGH
media/dvb-usb I2cMsg OOB
CVE-2025-68819
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() rlen value is a user-controlled value, but dtv5100_i2c_msg() does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. Therefore, we need to add proper range checking to prevent this vuln.
02KernelScan AI Analysis
Risk summary
Local attackers with access to DVB USB devices can trigger an out-of-bounds write in kernel memory by providing oversized read length values through I2C messages. This can lead to kernel memory corruption, privilege escalation, or system crashes on systems with DVB-T USB tuners.
Vulnerability analysis
The vulnerability exists in dtv5100_i2c_msg() where a user-controlled rlen parameter is used to copy data into a fixed-size buffer (st->data) without bounds checking. The memcpy(st->data, rbuf, rlen) operation can write beyond the buffer boundaries if rlen exceeds sizeof(st->data). The fix adds a bounds check that validates rlen against the buffer size and returns -EINVAL if it's too large. This is reachable through DVB device operations that require local access to the USB device node, typically requiring membership in the video group or similar permissions.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.248 | c2c293ea7b61 |
| 5.15 | 5.15.198 | c2305b4c5fc1 |
| 6.1 | 6.1.160 | 61f214a878e9 |
| 6.12 | 6.12.64 | fe3e129ab498 |
| 6.18 | 6.18.3 | ac92151ff249 |
| 6.6 | 6.6.120 | 4a54d8fcb093 |
| mainline | 6.19 | b91e6aafe8d3 |