{"id":"AZL-72989","summary":"CVE-2025-68342 affecting package kernel for versions less than 6.6.119.3-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data\n\nThe URB received in gs_usb_receive_bulk_callback() contains a struct\ngs_host_frame. The length of the data after the header depends on the\ngs_host_frame hf::flags and the active device features (e.g. time\nstamping).\n\nIntroduce a new function gs_usb_get_minimum_length() and check that we have\nat least received the required amount of data before accessing it. Only\ncopy the data to that skb that has actually been received.\n\n[mkl: rename gs_usb_get_minimum_length() -\u003e +gs_usb_get_minimum_rx_length()]","modified":"2026-04-01T05:22:14.253729Z","published":"2025-12-23T14:16:40Z","upstream":["CVE-2025-68342"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68342"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.119.3-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-72989.json"}}],"schema_version":"1.7.5"}