VDB

DEBIAN-CVE-2025-38481

DEBIAN-CVE-2025-38481 PUBLISHED CVSS 5.5 MEDIUM

In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set this to the same value as `MAX_SAMPLES` (65536), which is the maximum allowed sum of the values of the member `n` in the array of `struct comedi_insn`, and sensible comedi instructions will have an `n` of at least 1.

Risk Scores

CVSS 3.1
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
Debian:12linux6.1.66-1, 6.1.137-1, 6.1.106-2
Debian:13linux6.12.38-1, 0, 6.12.38-1
Debian:11linux-6.16.1.129-1, 6.1.128-1, 6.1.119-1
Debian:11linux5.10.237-1, 5.10.127-2, 5.10.127-2~bpo10+1
Debian:14linux*, 6.16, 6.16.3-1

Timeline

  • Jul 28, 2025 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›