{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38348","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.006Z","datePublished":"2025-07-10T08:15:15.883Z","dateUpdated":"2026-05-11T21:26:15.183Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:26:15.183Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()\n\nRobert Morris reported:\n\n|If a malicious USB device pretends to be an Intersil p54 wifi\n|interface and generates an eeprom_readback message with a large\n|eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the\n|message beyond the end of priv->eeprom.\n|\n|static void p54_rx_eeprom_readback(struct p54_common *priv,\n|                                   struct sk_buff *skb)\n|{\n|        struct p54_hdr *hdr = (struct p54_hdr *) skb->data;\n|        struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data;\n|\n|        if (priv->fw_var >= 0x509) {\n|                memcpy(priv->eeprom, eeprom->v2.data,\n|                       le16_to_cpu(eeprom->v2.len));\n|        } else {\n|                memcpy(priv->eeprom, eeprom->v1.data,\n|                       le16_to_cpu(eeprom->v1.len));\n|        }\n| [...]\n\nThe eeprom->v{1,2}.len is set by the driver in p54_download_eeprom().\nThe device is supposed to provide the same length back to the driver.\nBut yes, it's possible (like shown in the report) to alter the value\nto something that causes a crash/panic due to overrun.\n\nThis patch addresses the issue by adding the size to the common device\ncontext, so p54_rx_eeprom_readback no longer relies on possibly tampered\nvalues... That said, it also checks if the \"firmware\" altered the value\nand no longer copies them.\n\nThe one, small saving grace is: Before the driver tries to read the eeprom,\nit needs to upload >a< firmware. the vendor firmware has a proprietary\nlicense and as a reason, it is not present on most distributions by\ndefault."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/intersil/p54/fwio.c","drivers/net/wireless/intersil/p54/p54.h","drivers/net/wireless/intersil/p54/txrx.c"],"versions":[{"version":"7cb770729ba895f73253dfcd46c3fcba45d896f9","lessThan":"12134f79e53eb56b0b0b7447fa0c512acf6a8422","status":"affected","versionType":"git"},{"version":"7cb770729ba895f73253dfcd46c3fcba45d896f9","lessThan":"9701f842031b825e2fd5f22d064166f8f13f6e4d","status":"affected","versionType":"git"},{"version":"7cb770729ba895f73253dfcd46c3fcba45d896f9","lessThan":"1f7f8168abe8cbe845ab8bb557228d44784a6b57","status":"affected","versionType":"git"},{"version":"7cb770729ba895f73253dfcd46c3fcba45d896f9","lessThan":"f39b2f8c1549a539846e083790fad396ef6cd802","status":"affected","versionType":"git"},{"version":"7cb770729ba895f73253dfcd46c3fcba45d896f9","lessThan":"0e4dc150423b829c35cbcf399481ca11594fc036","status":"affected","versionType":"git"},{"version":"7cb770729ba895f73253dfcd46c3fcba45d896f9","lessThan":"6d05390d20f110de37d051a3e063ef0a542d01fb","status":"affected","versionType":"git"},{"version":"7cb770729ba895f73253dfcd46c3fcba45d896f9","lessThan":"714afb4c38edd19a057d519c1f9c5d164b43de94","status":"affected","versionType":"git"},{"version":"7cb770729ba895f73253dfcd46c3fcba45d896f9","lessThan":"da1b9a55ff116cb040528ef664c70a4eec03ae99","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/intersil/p54/fwio.c","drivers/net/wireless/intersil/p54/p54.h","drivers/net/wireless/intersil/p54/txrx.c"],"versions":[{"version":"2.6.28","status":"affected"},{"version":"0","lessThan":"2.6.28","status":"unaffected","versionType":"semver"},{"version":"5.4.295","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.239","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.186","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.142","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.95","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.35","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.4","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"5.4.295"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"5.10.239"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"5.15.186"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"6.1.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"6.6.95"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"6.12.35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"6.15.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"6.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/12134f79e53eb56b0b0b7447fa0c512acf6a8422"},{"url":"https://git.kernel.org/stable/c/9701f842031b825e2fd5f22d064166f8f13f6e4d"},{"url":"https://git.kernel.org/stable/c/1f7f8168abe8cbe845ab8bb557228d44784a6b57"},{"url":"https://git.kernel.org/stable/c/f39b2f8c1549a539846e083790fad396ef6cd802"},{"url":"https://git.kernel.org/stable/c/0e4dc150423b829c35cbcf399481ca11594fc036"},{"url":"https://git.kernel.org/stable/c/6d05390d20f110de37d051a3e063ef0a542d01fb"},{"url":"https://git.kernel.org/stable/c/714afb4c38edd19a057d519c1f9c5d164b43de94"},{"url":"https://git.kernel.org/stable/c/da1b9a55ff116cb040528ef664c70a4eec03ae99"}],"title":"wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:36:58.983Z"}}]}}