{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39686","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.113Z","datePublished":"2025-09-05T17:20:53.071Z","dateUpdated":"2026-05-12T12:06:13.615Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:34:17.797Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Make insn_rw_emulate_bits() do insn->n samples\n\nThe `insn_rw_emulate_bits()` function is used as a default handler for\n`INSN_READ` instructions for subdevices that have a handler for\n`INSN_BITS` but not for `INSN_READ`.  Similarly, it is used as a default\nhandler for `INSN_WRITE` instructions for subdevices that have a handler\nfor `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the\n`INSN_READ` or `INSN_WRITE` instruction handling with a constructed\n`INSN_BITS` instruction.  However, `INSN_READ` and `INSN_WRITE`\ninstructions are supposed to be able read or write multiple samples,\nindicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently\nonly handles a single sample.  For `INSN_READ`, the comedi core will\ncopy `insn->n` samples back to user-space.  (That triggered KASAN\nkernel-infoleak errors when `insn->n` was greater than 1, but that is\nbeing fixed more generally elsewhere in the comedi core.)\n\nMake `insn_rw_emulate_bits()` either handle `insn->n` samples, or return\nan error, to conform to the general expectation for `INSN_READ` and\n`INSN_WRITE` handlers."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/comedi/drivers.c"],"versions":[{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"ab77e85bd3bc006ef40738f26f446a660813da44","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"842f307a1d115b24f2bcb2415c4e344f11f55930","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"92352ed2f9ac422181e381c2430c2d0dfb46faa0","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"dc0a2f142d655700db43de90cb6abf141b73d908","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"7afba9221f70d4cbce0f417c558879cba0eb5e66","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/comedi/drivers.c"],"versions":[{"version":"2.6.29","status":"affected"},{"version":"0","lessThan":"2.6.29","status":"unaffected","versionType":"semver"},{"version":"5.15.190","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.149","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.103","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.44","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.4","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.15.190"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.1.149"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.6.103"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.12.44"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.16.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ab77e85bd3bc006ef40738f26f446a660813da44"},{"url":"https://git.kernel.org/stable/c/ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b"},{"url":"https://git.kernel.org/stable/c/842f307a1d115b24f2bcb2415c4e344f11f55930"},{"url":"https://git.kernel.org/stable/c/92352ed2f9ac422181e381c2430c2d0dfb46faa0"},{"url":"https://git.kernel.org/stable/c/dc0a2f142d655700db43de90cb6abf141b73d908"},{"url":"https://git.kernel.org/stable/c/7afba9221f70d4cbce0f417c558879cba0eb5e66"}],"title":"comedi: Make insn_rw_emulate_bits() do insn->n samples","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:42:18.407Z"}},{"x_adpType":"supplier","providerMetadata":{"orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP","dateUpdated":"2026-05-12T12:06:13.615Z"},"affected":[{"vendor":"Siemens","product":"SIMATIC CN 4100","versions":[{"status":"affected","version":"0","lessThan":"V5.0","versionType":"custom"}],"defaultStatus":"unknown"}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-032379.html"}]}]}}