CVE-2025-39757
Published: September 12, 2025Last modified: September 12, 2025
Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.1 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | NONE |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | linux-lts | Fixed (6.1.151-r0) |
| 25 LTS | linux-lts | Fixed (6.12.44-r0) | |
| Stream | linux-lts | Fixed (6.12.43-r0) |
References
- https://git.kernel.org/stable/c/1034719fdefd26caeec0a44a868bb5a412c2c1a5
- https://git.kernel.org/stable/c/275e37532e8ebe25e8a4069b2d9f955bfd202a46
- https://git.kernel.org/stable/c/47ab3d820cb0a502bd0074f83bb3cf7ab5d79902
- https://git.kernel.org/stable/c/786571b10b1ae6d90e1242848ce78ee7e1d493c4
- https://git.kernel.org/stable/c/799c06ad4c9c790c265e8b6b94947213f1fb389c
- https://git.kernel.org/stable/c/7ef3fd250f84494fb2f7871f357808edaa1fc6ce
- https://git.kernel.org/stable/c/ae17b3b5e753efc239421d186cd1ff06e5ac296e
- https://git.kernel.org/stable/c/dfdcbcde5c20df878178245d4449feada7d5b201
- https://git.kernel.org/stable/c/ecfd41166b72b67d3bdeb88d224ff445f6163869
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html