{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39684","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.113Z","datePublished":"2025-09-05T17:20:50.827Z","dateUpdated":"2026-05-12T12:06:11.333Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:34:15.439Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()\n\nsyzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`.  A kernel\nbuffer is allocated to hold `insn->n` samples (each of which is an\n`unsigned int`).  For some instruction types, `insn->n` samples are\ncopied back to user-space, unless an error code is being returned.  The\nproblem is that not all the instruction handlers that need to return\ndata to userspace fill in the whole `insn->n` samples, so that there is\nan information leak.  There is a similar syzbot report for\n`do_insnlist_ioctl()`, although it does not have a reproducer for it at\nthe time of writing.\n\nOne culprit is `insn_rw_emulate_bits()` which is used as the handler for\n`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have\na specific handler for that instruction, but do have an `INSN_BITS`\nhandler.  For `INSN_READ` it only fills in at most 1 sample, so if\n`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied\nto userspace will be uninitialized kernel data.\n\nAnother culprit is `vm80xx_ai_insn_read()` in the \"vm80xx\" driver.  It\nnever returns an error, even if it fails to fill the buffer.\n\nFix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure\nthat uninitialized parts of the allocated buffer are zeroed before\nhandling each instruction.\n\nThanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`.  That fix\nreplaced the call to `kmalloc_array()` with `kcalloc()`, but it is not\nalways necessary to clear the whole buffer."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/comedi/comedi_fops.c"],"versions":[{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"868a1b68dcd9f2805bb86aa64862402f785d8c4a","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"ff4a7c18799c7fe999fa56c5cf276e13866b8c1a","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"d84f6e77ebe3359394df32ecd97e0d76a25283dc","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"f3b0c9ec54736f3b8118f93a473d22e11ee65743","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"aecf0d557ddd95ce68193a5ee1dc4c87415ff08a","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"3cd212e895ca2d58963fdc6422502b10dd3966bb","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/comedi/comedi_fops.c"],"versions":[{"version":"2.6.29","status":"affected"},{"version":"0","lessThan":"2.6.29","status":"unaffected","versionType":"semver"},{"version":"5.15.190","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.149","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.103","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.44","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.4","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.15.190"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.1.149"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.6.103"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.12.44"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.16.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a"},{"url":"https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a"},{"url":"https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc"},{"url":"https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743"},{"url":"https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a"},{"url":"https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb"}],"title":"comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:42:16.502Z"}},{"x_adpType":"supplier","providerMetadata":{"orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP","dateUpdated":"2026-05-12T12:06:11.333Z"},"affected":[{"vendor":"Siemens","product":"SIMATIC CN 4100","versions":[{"status":"affected","version":"0","lessThan":"V5.0","versionType":"custom"}],"defaultStatus":"unknown"}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-032379.html"}]}]}}