Cyber Resilience

CVE-2025-21704

HighPublic PoCUpdated

Published: 22 February 2025

Published
22 February 2025
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21704 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-21704 affects the Linux kernel's CDC-ACM USB driver, which handles communications for abstract-control-model modems over USB. The vulnerability arises from a failure to check the control transfer buffer size before accessing it when processing fragmented notifications. If the first fragment is shorter than the struct usb_cdc_notification, the driver reads lengths from memory outside the received data, leading to incorrect expected_size calculations that can wrap around and cause memory corruption. This issue has existed since the start of the kernel's git history but only results in corruption following commit ea2583529cd1, which introduced fragmented notification reassembly.

A local attacker with low privileges can exploit this vulnerability by connecting a specially crafted USB device that sends malformed fragmented CDC notifications. Exploitation requires the acm_ctrl_irq function to execute, which only occurs after userspace has opened /dev/ttyACM*, potentially triggered automatically by ModemManager based on the USB device's vendor and product IDs and other interfaces. Successful exploitation enables memory corruption, granting high impacts on confidentiality, integrity, and availability, as reflected in the CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-787 (Out-of-bounds Write).

Mitigation requires updating to a patched Linux kernel version. Relevant stable branch patches are available at the following commit URLs: https://git.kernel.org/stable/c/383d516a0ebc8641372b521c8cb717f0f1834831, https://git.kernel.org/stable/c/6abb510251e75f875797d8983a830e6731fa281c, https://git.kernel.org/stable/c/7828e9363ac4d23b02419bf2a45b9f1d9fb35646, https://git.kernel.org/stable/c/871619c2b78fdfe05afb4e8ba548678687beb812, and https://git.kernel.org/stable/c/90dd2f1b7342b9a671a5ea4160f408037b92b118. These patches log an error and discard invalid notifications when the buffer is too short, preventing the unsafe access.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: usb: cdc-acm: Check control transfer buffer size before access If the first fragment is shorter than struct usb_cdc_notification, we can't calculate an expected_size. Log an error and discard the notification…

more

instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expected_size decreases between fragments, causing `expected_size - acm->nb_index` to wrap. This issue has been present since the beginning of git history; however, it only leads to memory corruption since commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications"). A mitigating factor is that acm_ctrl_irq() can only execute after userspace has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will do that automatically depending on the USB device's vendor/product IDs and its other interfaces.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The kernel memory corruption vulnerability in the CDC-ACM USB driver can be triggered locally by a low-privileged attacker via a crafted USB device, directly enabling privilege escalation through out-of-bounds write in kernel space.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.12, 6.14 · 2.6.13 — 5.4.291 · 5.5 — 5.10.235 · 5.11 — 5.15.179

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the core vulnerability by requiring validation of USB CDC-ACM control transfer buffer sizes before access to prevent out-of-bounds reads and memory corruption.

preventrecover

Mandates timely identification, reporting, and patching of the flaw in the Linux kernel CDC-ACM driver using the provided stable branch commits.

prevent

Implements memory safeguards such as isolation and execution policies to protect against unauthorized modification from out-of-bounds writes triggered by malformed USB notifications.

References