CVE-2025-21916: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: atm: cxacru: fix a flaw in existing endpoint checks Syzbot once again identified a flaw in usb endpoint checking, see [1]. This time the issue stems from a commit authored by me (2eabb655a968 ("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")). While using usb_find_common_endpoints() may usually be enough to discard devices with wrong endpoints, in this case one needs more than just finding and identifying the sufficient number of endpoints of correct types - one needs to check the endpoint's address as well. Since cxacru_bind() fills URBs with CXACRU_EP_CMD address in mind, switch the endpoint verification approach to usb_check_XXX_endpoints() instead to fix incomplete ep testing. [1] Syzbot report: usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... RIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> cxacru_cm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649 cxacru_card_status drivers/usb/atm/cxacru.c:760 [inline] cxacru_bind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223 usbatm_usb_probe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058 cxacru_usb_probe+0x184/0x220 drivers/usb/atm/cxacru.c:1377 usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396 really_probe+0x2b9/0xad0 drivers/base/dd.c:658 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800 driver_probe_device+0x50/0x430 drivers/base/dd.c:830 ...
AI Analysis
Technical Summary
CVE-2025-21916 is a vulnerability identified in the Linux kernel specifically affecting the USB ATM (Asynchronous Transfer Mode) driver component, cxacru. The issue arises from improper endpoint verification during USB device binding in the cxacru_bind() function. The vulnerability was detected by Syzbot, an automated kernel fuzzing tool, which reported a mismatch in USB Request Block (URB) transfer pipe types, indicating a flaw in how USB endpoints were checked. The root cause is that the existing endpoint validation relied on usb_find_common_endpoints(), which only verifies the presence and type of endpoints but does not sufficiently validate the endpoint addresses. Since cxacru_bind() fills URBs with a specific endpoint address (CXACRU_EP_CMD), the lack of address verification could lead to incorrect URB submissions to inappropriate endpoints. This flaw could cause kernel warnings, potential memory corruption, or undefined behavior in the USB subsystem, possibly leading to system instability or denial of service. The fix involved switching to usb_check_XXX_endpoints(), which performs more thorough endpoint address verification, ensuring that only valid endpoints are used for URB submissions. The vulnerability affects multiple Linux kernel versions as identified by various commit hashes, and it was publicly disclosed in April 2025. No known exploits are reported in the wild yet, and no CVSS score has been assigned.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with USB ATM cxacru drivers enabled. The impact includes potential system crashes or denial of service due to kernel warnings or memory corruption triggered by malformed or malicious USB devices. This could disrupt critical infrastructure or enterprise environments relying on Linux-based systems, especially those using USB ATM devices or similar hardware. Confidentiality and integrity impacts are limited since the vulnerability relates to endpoint validation rather than direct code execution or privilege escalation. However, availability could be affected if attackers exploit this flaw to cause kernel panics or system instability. Organizations with embedded Linux devices, network equipment, or industrial control systems using affected drivers are particularly at risk. Although no exploits are known, the ease of triggering the flaw via USB device interaction suggests a moderate risk of exploitation, especially in environments where physical access or USB device insertion is possible.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions where this vulnerability is patched, ensuring the use of the fixed usb_check_XXX_endpoints() validation method. For systems where immediate patching is not feasible, organizations should implement strict USB device control policies, including disabling unused USB ports, enforcing device whitelisting, and monitoring USB device connections for anomalies. Additionally, kernel hardening techniques such as enabling kernel lockdown modes and using security modules (e.g., SELinux, AppArmor) can reduce the attack surface. Organizations should audit their hardware inventory to identify devices using the cxacru driver and assess exposure. Network segmentation and endpoint protection can help contain potential impacts. Finally, monitoring kernel logs for unusual USB-related warnings or errors can provide early detection of attempted exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-21916: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: atm: cxacru: fix a flaw in existing endpoint checks Syzbot once again identified a flaw in usb endpoint checking, see [1]. This time the issue stems from a commit authored by me (2eabb655a968 ("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")). While using usb_find_common_endpoints() may usually be enough to discard devices with wrong endpoints, in this case one needs more than just finding and identifying the sufficient number of endpoints of correct types - one needs to check the endpoint's address as well. Since cxacru_bind() fills URBs with CXACRU_EP_CMD address in mind, switch the endpoint verification approach to usb_check_XXX_endpoints() instead to fix incomplete ep testing. [1] Syzbot report: usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... RIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> cxacru_cm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649 cxacru_card_status drivers/usb/atm/cxacru.c:760 [inline] cxacru_bind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223 usbatm_usb_probe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058 cxacru_usb_probe+0x184/0x220 drivers/usb/atm/cxacru.c:1377 usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396 really_probe+0x2b9/0xad0 drivers/base/dd.c:658 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800 driver_probe_device+0x50/0x430 drivers/base/dd.c:830 ...
AI-Powered Analysis
Technical Analysis
CVE-2025-21916 is a vulnerability identified in the Linux kernel specifically affecting the USB ATM (Asynchronous Transfer Mode) driver component, cxacru. The issue arises from improper endpoint verification during USB device binding in the cxacru_bind() function. The vulnerability was detected by Syzbot, an automated kernel fuzzing tool, which reported a mismatch in USB Request Block (URB) transfer pipe types, indicating a flaw in how USB endpoints were checked. The root cause is that the existing endpoint validation relied on usb_find_common_endpoints(), which only verifies the presence and type of endpoints but does not sufficiently validate the endpoint addresses. Since cxacru_bind() fills URBs with a specific endpoint address (CXACRU_EP_CMD), the lack of address verification could lead to incorrect URB submissions to inappropriate endpoints. This flaw could cause kernel warnings, potential memory corruption, or undefined behavior in the USB subsystem, possibly leading to system instability or denial of service. The fix involved switching to usb_check_XXX_endpoints(), which performs more thorough endpoint address verification, ensuring that only valid endpoints are used for URB submissions. The vulnerability affects multiple Linux kernel versions as identified by various commit hashes, and it was publicly disclosed in April 2025. No known exploits are reported in the wild yet, and no CVSS score has been assigned.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with USB ATM cxacru drivers enabled. The impact includes potential system crashes or denial of service due to kernel warnings or memory corruption triggered by malformed or malicious USB devices. This could disrupt critical infrastructure or enterprise environments relying on Linux-based systems, especially those using USB ATM devices or similar hardware. Confidentiality and integrity impacts are limited since the vulnerability relates to endpoint validation rather than direct code execution or privilege escalation. However, availability could be affected if attackers exploit this flaw to cause kernel panics or system instability. Organizations with embedded Linux devices, network equipment, or industrial control systems using affected drivers are particularly at risk. Although no exploits are known, the ease of triggering the flaw via USB device interaction suggests a moderate risk of exploitation, especially in environments where physical access or USB device insertion is possible.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions where this vulnerability is patched, ensuring the use of the fixed usb_check_XXX_endpoints() validation method. For systems where immediate patching is not feasible, organizations should implement strict USB device control policies, including disabling unused USB ports, enforcing device whitelisting, and monitoring USB device connections for anomalies. Additionally, kernel hardening techniques such as enabling kernel lockdown modes and using security modules (e.g., SELinux, AppArmor) can reduce the attack surface. Organizations should audit their hardware inventory to identify devices using the cxacru driver and assess exposure. Network segmentation and endpoint protection can help contain potential impacts. Finally, monitoring kernel logs for unusual USB-related warnings or errors can provide early detection of attempted exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.787Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd397
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 11:42:56 PM
Last updated: 8/7/2025, 11:27:06 AM
Views: 23
Related Threats
CVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumCVE-2025-8482: CWE-862 Missing Authorization in 10up Simple Local Avatars
MediumCVE-2025-8418: CWE-862 Missing Authorization in bplugins B Slider- Gutenberg Slider Block for WP
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.