CVE-2025-21916
MediumIn the Linux kernel, the following vulnerability has been resolved: usb: atm: cxacru: fix a flaw in existing endpoint checks Syzbot once again identified a flaw in usb endpoint checking, see [1]. This time the issue stems from a commit authored by me (2eabb655a968 ("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")). While using usb_find_common_endpoints() may usually be enough to discard devices with wrong endpoints, in this case one needs more than just finding and identifying the sufficient number of endpoints of correct types - one needs to check the endpoint's address as well. Since cxacru_bind() fills URBs with CXACRU_EP_CMD address in mind, switch the endpoint verification approach to usb_check_XXX_endpoints() instead to fix incomplete ep testing. [1] Syzbot report: usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... RIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> cxacru_cm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649 cxacru_card_status drivers/usb/atm/cxacru.c:760 [inline] cxacru_bind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223 usbatm_usb_probe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058 cxacru_usb_probe+0x184/0x220 drivers/usb/atm/cxacru.c:1377 usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396 really_probe+0x2b9/0xad0 drivers/base/dd.c:658 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800 driver_probe_device+0x50/0x430 drivers/base/dd.c:830 ...
CVSS 3.1 score
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected versions
Linux kernel versions
5.4.279,
5.10.221,
5.15.162,
6.1.97,
6.6.37,
4.19.317,
6.9.8,
6.10
and later are affected. Fixed in
5.4.291,
5.10.235,
5.15.179,
6.1.131,
6.6.83,
6.12.19,
6.13.7,
6.14
and their respective stable series.
References
The following references provide additional information about CVE-2025-21916 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.
-
-
-
PatchKernel patch commithttps://git.kernel.org/stable/c/197e78076c5ecd895f109158c4ea2954b9919af6
-
PatchKernel patch commithttps://git.kernel.org/stable/c/319529e0356bd904528c64647725a2272d297c83
-
PatchKernel patch commithttps://git.kernel.org/stable/c/903b80c21458bb1e34c3a78c5fdc553821e357f8
Frequently asked questions
-
What is CVE-2025-21916?
CVE-2025-21916 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 . It affects Linux kernel versions from 5.4.279 onward and has been patched in 5.4.291, 5.10.235, 5.15.179 and others. CVE-2025-21916 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
-
What is the CVSS score for CVE-2025-21916?
CVE-2025-21916 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. -
Is there a patch available for CVE-2025-21916?
Yes — CVE-2025-21916 has been patched. Fixed versions include 5.4.291, 5.10.235, 5.15.179 and others. If you are running Linux kernel 5.4.279 or later up to the fix versions, apply the relevant patch for your kernel branch.
-
Is CVE-2025-21916 actively exploited?
No — CVE-2025-21916 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.