In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set this to the same value as `MAX_SAMPLES` (65536), which is the maximum allowed sum of the values of the member `n` in the array of `struct comedi_insn`, and sensible comedi instructions will have an `n` of at least 1.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Linux
  • Linux Kernel

No data.

No data.

References
Link Providers
https://git.kernel.org/stable/c/08ae4b20f5e82101d77326ecab9089e110f224cc cve-icon cve-icon
https://git.kernel.org/stable/c/454d732dfd0aef7d7aa950c409215ca06d717e93 cve-icon cve-icon
https://git.kernel.org/stable/c/69dc06b9514522de532e997a21d035cd29b0db44 cve-icon cve-icon
https://git.kernel.org/stable/c/992d600f284e719242a434166e86c1999649b71c cve-icon cve-icon
https://git.kernel.org/stable/c/c68257588e87f45530235701a42496b7e9e56adb cve-icon cve-icon
https://git.kernel.org/stable/c/c9d3d9667443caafa804cd07940aeaef8e53aa90 cve-icon cve-icon
https://git.kernel.org/stable/c/d4c73ce13f5b5a0fe0319f1f352ff602f0ace8e3 cve-icon cve-icon
https://git.kernel.org/stable/c/e3b8322cc8081d142ee4c1a43e1d702bdba1ed76 cve-icon cve-icon
https://lore.kernel.org/linux-cve-announce/2025072814-CVE-2025-38481-1476@gregkh/T cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-38481 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-38481 cve-icon
History

Thu, 28 Aug 2025 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 29 Jul 2025 12:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 29 Jul 2025 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Vendors & Products Linux
Linux linux Kernel

Mon, 28 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set this to the same value as `MAX_SAMPLES` (65536), which is the maximum allowed sum of the values of the member `n` in the array of `struct comedi_insn`, and sensible comedi instructions will have an `n` of at least 1.
Title comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
References
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-07-28T11:21:46.147Z

Updated: 2025-08-28T14:43:20.991Z

Reserved: 2025-04-16T04:51:24.021Z

Link: CVE-2025-38481

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-07-28T12:15:29.980

Modified: 2025-08-28T15:15:50.173

Link: CVE-2025-38481

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-07-28T00:00:00Z

Links: CVE-2025-38481 - Bugzilla