In the Linux kernel, the following vulnerability has been resolved: drivers/rapidio/rio_cm.c: prevent possible heap overwrite In riocm_cdev_ioctl(RIO_CM_CHAN_SEND) -> cm_chan_msg_send() -> riocm_ch_send() cm_chan_msg_send() checks that userspace didn't send too much data but riocm_ch_send() failed to check that userspace sent sufficient data. The result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr which were outside the bounds of the space which cm_chan_msg_send() allocated. Address this by teaching riocm_ch_send() to check that the entire rio_ch_chan_hdr was copied in from userspace.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Linux
  • Linux Kernel

No data.

No data.

References
Link Providers
https://git.kernel.org/stable/c/1921781ec4a8824bd0c520bf9363e28a880d14ec cve-icon cve-icon
https://git.kernel.org/stable/c/1cce6ac47f4a2ac1766b8a188dc8c8f6d8df2a53 cve-icon cve-icon
https://git.kernel.org/stable/c/50695153d7ddde3b1696dbf0085be0033bf3ddb3 cve-icon cve-icon
https://git.kernel.org/stable/c/58f664614f8c3d6142ab81ae551e466dc6e092e8 cve-icon cve-icon
https://git.kernel.org/stable/c/6d5c6711a55c35ce09b90705546050408d9d4b61 cve-icon cve-icon
https://git.kernel.org/stable/c/a8b5ea2e302aa5cd00fc7addd8df53c9bde7b5f6 cve-icon cve-icon
https://git.kernel.org/stable/c/c03ddc183249f03fc7e057e02cae6f89144d0123 cve-icon cve-icon
https://git.kernel.org/stable/c/ecf5ee280b702270afb02f61b299d3dfe3ec7730 cve-icon cve-icon
https://lore.kernel.org/linux-cve-announce/2025063055-CVE-2025-38090-52ef@gregkh/T cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-38090 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-38090 cve-icon
History

Tue, 01 Jul 2025 00:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Mon, 30 Jun 2025 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drivers/rapidio/rio_cm.c: prevent possible heap overwrite In riocm_cdev_ioctl(RIO_CM_CHAN_SEND) -> cm_chan_msg_send() -> riocm_ch_send() cm_chan_msg_send() checks that userspace didn't send too much data but riocm_ch_send() failed to check that userspace sent sufficient data. The result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr which were outside the bounds of the space which cm_chan_msg_send() allocated. Address this by teaching riocm_ch_send() to check that the entire rio_ch_chan_hdr was copied in from userspace.
Title drivers/rapidio/rio_cm.c: prevent possible heap overwrite
References
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-06-30T07:29:45.565Z

Updated: 2025-07-28T04:12:06.031Z

Reserved: 2025-04-16T04:51:23.982Z

Link: CVE-2025-38090

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-06-30T08:15:23.707

Modified: 2025-06-30T18:38:23.493

Link: CVE-2025-38090

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-06-30T00:00:00Z

Links: CVE-2025-38090 - Bugzilla