CVE-2025-21742
Published: 27 February 2025
Summary
CVE-2025-21742 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through kernel patching directly eliminates the out-of-bounds read vulnerability in the ipheth USB driver.
Information input validation enforces strict checks on USB packet headers like NDP16 position and length to prevent buffer overreads.
Kernel memory protections such as KASLR and SMAP mitigate information leakage and crashes from out-of-bounds reads in the ipheth driver.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read enables unauthorized kernel memory access for data collection from local system (T1005); kernel crashes via exploitation enable endpoint DoS through application/system exploitation (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: use static NDP16 location in URB Original code allowed for the start of NDP16 to be anywhere within the URB based on the `wNdpIndex` value in NTH16. Only…
more
the start position of NDP16 was checked, so it was possible for even the fixed-length part of NDP16 to extend past the end of URB, leading to an out-of-bounds read. On iOS devices, the NDP16 header always directly follows NTH16. Rely on and check for this specific format. This, along with NCM-specific minimal URB length check that already exists, will ensure that the fixed-length part of NDP16 plus a set amount of DPEs fit within the URB. Note that this commit alone does not fully address the OoB read. The limit on the amount of DPEs needs to be enforced separately.
Deeper analysisAI
CVE-2025-21742 is an out-of-bounds read vulnerability in the Linux kernel's usbnet ipheth driver, which handles USB Ethernet over USB for iOS devices. The issue stems from the original code allowing the NDP16 header to start at any position within a USB Request Block (URB) based on the wNdpIndex value in the NTH16 header, with only the start position being checked. This permitted the fixed-length portion of the NDP16 header to extend beyond the end of the URB buffer, resulting in an out-of-bounds read. The vulnerability is classified under CWE-125 and carries a CVSS v3.1 base score of 7.1.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact confidentiality violations through unauthorized memory reads and high-impact availability disruptions, such as kernel crashes, while integrity remains unaffected due to the read-only nature of the flaw.
The referenced kernel commit patches mitigate the issue by enforcing a static NDP16 location directly following the NTH16 header, as observed on iOS devices, combined with existing NCM-specific minimum URB length checks to ensure the fixed NDP16 portion and a set number of DPEs fit within the buffer. However, the patches note that this change alone does not fully resolve the out-of-bounds read, as a separate enforcement of the DPE count limit is required.
Details
- CWE(s)