CVE-2025-38729
Published: September 5, 2025Last modified: September 5, 2025
Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | HIGH |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | linux-lts | Fixed (6.1.151-r0) |
| 25 LTS | linux-lts | Fixed (6.12.44-r0) | |
| Stream | linux-lts | Fixed (6.12.43-r0) |
References
- https://git.kernel.org/stable/c/07c8d78dbb5e0ff8b23f7fd69cd1d4e2ba22b3dc
- https://git.kernel.org/stable/c/1666207ba0a5973735ef010812536adde6174e81
- https://git.kernel.org/stable/c/29b415ec09f5b9d1dfa2423b826725a8c8796b9a
- https://git.kernel.org/stable/c/40714daf4d0448e1692c78563faf0ed0f9d9b5c7
- https://git.kernel.org/stable/c/452ad54f432675982cc0d6eb6c40a6c86ac61dbd
- https://git.kernel.org/stable/c/cd08d390d15b204cac1d3174f5f149a20c52e61a
- https://git.kernel.org/stable/c/d832ccbc301fbd9e5a1d691bdcf461cdb514595f
- https://git.kernel.org/stable/c/ebc9e06b6ea978a20abf9b87d41afc51b2d745ac
- https://git.kernel.org/stable/c/f03418bb9d542f44df78eec2eff4ac83c0a8ac0d
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html