{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38478","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.021Z","datePublished":"2025-07-28T11:21:44.210Z","dateUpdated":"2026-05-11T21:28:47.261Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:28:47.261Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix initialization of data for instructions that write to subdevice\n\nSome Comedi subdevice instruction handlers are known to access\ninstruction data elements beyond the first `insn->n` elements in some\ncases.  The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions\nallocate at least `MIN_SAMPLES` (16) data elements to deal with this,\nbut they do not initialize all of that.  For Comedi instruction codes\nthat write to the subdevice, the first `insn->n` data elements are\ncopied from user-space, but the remaining elements are left\nuninitialized.  That could be a problem if the subdevice instruction\nhandler reads the uninitialized data.  Ensure that the first\n`MIN_SAMPLES` elements are initialized before calling these instruction\nhandlers, filling the uncopied elements with 0.  For\n`do_insnlist_ioctl()`, the same data buffer elements are used for\nhandling a list of instructions, so ensure the first `MIN_SAMPLES`\nelements are initialized for each instruction that writes to the\nsubdevice."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/comedi/comedi_fops.c"],"versions":[{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"6f38c6380c3b38a05032b8881e41137385a6ce02","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"13e4d9038a1e869445a996a3f604a84ef52fe8f4","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"020eed5681d0f9bced73970368078a92d6cfaa9c","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"d3436638738ace8f101af7bdee2eae1bc38e9b29","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"673ee92bd2d31055bca98a1d96b653f5284289c4","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"c42116dc70af6664526f7aa82cf937824ab42649","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"fe8713fb4e4e82a4f91910d9a41bf0613e69a0b9","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"46d8c744136ce2454aa4c35c138cc06817f92b8e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/comedi/comedi_fops.c"],"versions":[{"version":"2.6.29","status":"affected"},{"version":"0","lessThan":"2.6.29","status":"unaffected","versionType":"semver"},{"version":"5.4.297","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.241","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.190","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.147","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.100","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.40","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.8","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.4.297"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.10.241"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.15.190"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.1.147"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.6.100"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.12.40"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.15.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6f38c6380c3b38a05032b8881e41137385a6ce02"},{"url":"https://git.kernel.org/stable/c/13e4d9038a1e869445a996a3f604a84ef52fe8f4"},{"url":"https://git.kernel.org/stable/c/020eed5681d0f9bced73970368078a92d6cfaa9c"},{"url":"https://git.kernel.org/stable/c/d3436638738ace8f101af7bdee2eae1bc38e9b29"},{"url":"https://git.kernel.org/stable/c/673ee92bd2d31055bca98a1d96b653f5284289c4"},{"url":"https://git.kernel.org/stable/c/c42116dc70af6664526f7aa82cf937824ab42649"},{"url":"https://git.kernel.org/stable/c/fe8713fb4e4e82a4f91910d9a41bf0613e69a0b9"},{"url":"https://git.kernel.org/stable/c/46d8c744136ce2454aa4c35c138cc06817f92b8e"}],"title":"comedi: Fix initialization of data for instructions that write to subdevice","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:38:46.621Z"}}]}}