{"id":"AZL-64893","summary":"CVE-2025-38348 affecting package kernel for versions less than 6.6.96.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()\n\nRobert Morris reported:\n\n|If a malicious USB device pretends to be an Intersil p54 wifi\n|interface and generates an eeprom_readback message with a large\n|eeprom-\u003ev1.len, p54_rx_eeprom_readback() will copy data from the\n|message beyond the end of priv-\u003eeeprom.\n|\n|static void p54_rx_eeprom_readback(struct p54_common *priv,\n|                                   struct sk_buff *skb)\n|{\n|        struct p54_hdr *hdr = (struct p54_hdr *) skb-\u003edata;\n|        struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr-\u003edata;\n|\n|        if (priv-\u003efw_var \u003e= 0x509) {\n|                memcpy(priv-\u003eeeprom, eeprom-\u003ev2.data,\n|                       le16_to_cpu(eeprom-\u003ev2.len));\n|        } else {\n|                memcpy(priv-\u003eeeprom, eeprom-\u003ev1.data,\n|                       le16_to_cpu(eeprom-\u003ev1.len));\n|        }\n| [...]\n\nThe eeprom-\u003ev{1,2}.len is set by the driver in p54_download_eeprom().\nThe device is supposed to provide the same length back to the driver.\nBut yes, it's possible (like shown in the report) to alter the value\nto something that causes a crash/panic due to overrun.\n\nThis patch addresses the issue by adding the size to the common device\ncontext, so p54_rx_eeprom_readback no longer relies on possibly tampered\nvalues... That said, it also checks if the \"firmware\" altered the value\nand no longer copies them.\n\nThe one, small saving grace is: Before the driver tries to read the eeprom,\nit needs to upload \u003ea\u003c firmware. the vendor firmware has a proprietary\nlicense and as a reason, it is not present on most distributions by\ndefault.","modified":"2026-04-01T05:20:25.954970Z","published":"2025-07-10T09:15:29Z","upstream":["CVE-2025-38348"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38348"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.96.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64893.json"}}],"schema_version":"1.7.5"}