{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22003", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.802Z", "datePublished": "2025-04-03T07:19:05.403Z", "dateUpdated": "2025-05-04T07:27:14.151Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:27:14.151Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ucan: fix out of bound read in strscpy() source\n\nCommit 7fdaf8966aae (\"can: ucan: use strscpy() to instead of strncpy()\")\nunintentionally introduced a one byte out of bound read on strscpy()'s\nsource argument (which is kind of ironic knowing that strscpy() is meant\nto be a more secure alternative :)).\n\nLet's consider below buffers:\n\n  dest[len + 1]; /* will be NUL terminated */\n  src[len]; /* may not be NUL terminated */\n\nWhen doing:\n\n  strncpy(dest, src, len);\n  dest[len] = '\\0';\n\nstrncpy() will read up to len bytes from src.\n\nOn the other hand:\n\n  strscpy(dest, src, len + 1);\n\nwill read up to len + 1 bytes from src, that is to say, an out of bound\nread of one byte will occur on src if it is not NUL terminated. Note\nthat the src[len] byte is never copied, but strscpy() still needs to\nread it to check whether a truncation occurred or not.\n\nThis exact pattern happened in ucan.\n\nThe root cause is that the source is not NUL terminated. Instead of\ndoing a copy in a local buffer, directly NUL terminate it as soon as\nusb_control_msg() returns. With this, the local firmware_str[] variable\ncan be removed.\n\nOn top of this do a couple refactors:\n\n  - ucan_ctl_payload->raw is only used for the firmware string, so\n    rename it to ucan_ctl_payload->fw_str and change its type from u8 to\n    char.\n\n  - ucan_device_request_in() is only used to retrieve the firmware\n    string, so rename it to ucan_get_fw_str() and refactor it to make it\n    directly handle all the string termination logic."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/ucan.c"], "versions": [{"version": "7fdaf8966aae476deafe11f9a0067ff588615444", "lessThan": "cc29775a8a72d7f3b56cc026796ad99bd65804a7", "status": "affected", "versionType": "git"}, {"version": "7fdaf8966aae476deafe11f9a0067ff588615444", "lessThan": "8cec9e314d3360fc1d8346297c41a6ee45cb45a9", "status": "affected", "versionType": "git"}, {"version": "7fdaf8966aae476deafe11f9a0067ff588615444", "lessThan": "a4994161a61bc8fd71d105c579d847cefee99262", "status": "affected", "versionType": "git"}, {"version": "7fdaf8966aae476deafe11f9a0067ff588615444", "lessThan": "1d22a122ffb116c3cf78053e812b8b21f8852ee9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/ucan.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.85", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.21", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.9", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.85"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.12.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.13.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cc29775a8a72d7f3b56cc026796ad99bd65804a7"}, {"url": "https://git.kernel.org/stable/c/8cec9e314d3360fc1d8346297c41a6ee45cb45a9"}, {"url": "https://git.kernel.org/stable/c/a4994161a61bc8fd71d105c579d847cefee99262"}, {"url": "https://git.kernel.org/stable/c/1d22a122ffb116c3cf78053e812b8b21f8852ee9"}], "title": "can: ucan: fix out of bound read in strscpy() source", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BCB56F36-C998-496A-A2E4-D9E0BB3A5BFC", "versionEndExcluding": "6.6.85", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B63C450-D73B-4A53-9861-98E25C16E842", "versionEndExcluding": "6.12.21", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FAECBE4D-58CF-4836-BBAB-5E28B800A778", "versionEndExcluding": "6.13.9", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*", "matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*", "matchCriteriaId": "45B90F6B-BEC7-4D4E-883A-9DBADE021750", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc6:*:*:*:*:*:*", "matchCriteriaId": "1759FFB7-531C-41B1-9AE1-FD3D80E0D920", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc7:*:*:*:*:*:*", "matchCriteriaId": "AD948719-8628-4421-A340-1066314BBD4A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ucan: fix out of bound read in strscpy() source\n\nCommit 7fdaf8966aae (\"can: ucan: use strscpy() to instead of strncpy()\")\nunintentionally introduced a one byte out of bound read on strscpy()'s\nsource argument (which is kind of ironic knowing that strscpy() is meant\nto be a more secure alternative :)).\n\nLet's consider below buffers:\n\n  dest[len + 1]; /* will be NUL terminated */\n  src[len]; /* may not be NUL terminated */\n\nWhen doing:\n\n  strncpy(dest, src, len);\n  dest[len] = '\\0';\n\nstrncpy() will read up to len bytes from src.\n\nOn the other hand:\n\n  strscpy(dest, src, len + 1);\n\nwill read up to len + 1 bytes from src, that is to say, an out of bound\nread of one byte will occur on src if it is not NUL terminated. Note\nthat the src[len] byte is never copied, but strscpy() still needs to\nread it to check whether a truncation occurred or not.\n\nThis exact pattern happened in ucan.\n\nThe root cause is that the source is not NUL terminated. Instead of\ndoing a copy in a local buffer, directly NUL terminate it as soon as\nusb_control_msg() returns. With this, the local firmware_str[] variable\ncan be removed.\n\nOn top of this do a couple refactors:\n\n  - ucan_ctl_payload->raw is only used for the firmware string, so\n    rename it to ucan_ctl_payload->fw_str and change its type from u8 to\n    char.\n\n  - ucan_device_request_in() is only used to retrieve the firmware\n    string, so rename it to ucan_get_fw_str() and refactor it to make it\n    directly handle all the string termination logic."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: can: ucan: fix out of bound read in strscpy() source Commit 7fdaf8966aae (\"can: ucan: use strscpy() to instead of strncpy()\") introdujo involuntariamente una lectura fuera de los l\u00edmite de un byte en el argumento source de strscpy() (lo cual es un poco ir\u00f3nico sabiendo que strscpy() est\u00e1 destinado a ser una alternativa m\u00e1s segura :)). Consideremos los siguientes b\u00faferes: dest[len + 1]; /* terminar\u00e1 en NUL */ src[len]; /* puede que no termine en NUL */ Al hacer: strncpy(dest, src, len); dest[len] = '\\0'; strncpy() leer\u00e1 hasta len bytes desde src. Por otro lado: strscpy(dest, src, len + 1); Leer\u00e1 hasta len + 1 bytes de src; es decir, se producir\u00e1 una lectura fuera de los l\u00edmites de un byte en src si no termina en NUL. Tenga en cuenta que el byte src[len] nunca se copia, pero strscpy() a\u00fan necesita leerlo para verificar si se produjo un truncamiento. Este mismo patr\u00f3n ocurri\u00f3 en ucan. La causa ra\u00edz es que el origen no termina en NUL. En lugar de hacer una copia en un b\u00fafer local, termine directamente en NUL tan pronto como usb_control_msg() regrese. Con esto, se puede eliminar la variable local firmware_str[]. Adem\u00e1s, realice un par de refactorizaciones: - ucan_ctl_payload->raw solo se usa para la cadena de firmware, as\u00ed que ren\u00f3mbrelo a ucan_ctl_payload->fw_str y cambie su tipo de u8 a char. - ucan_device_request_in() solo se utiliza para recuperar la cadena de firmware, as\u00ed que c\u00e1mbiele el nombre a ucan_get_fw_str() y refactor\u00edcelo para que gestione directamente toda la l\u00f3gica de terminaci\u00f3n de la cadena."}], "id": "CVE-2025-22003", "lastModified": "2025-04-10T16:13:15.503", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-03T08:15:15.840", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1d22a122ffb116c3cf78053e812b8b21f8852ee9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8cec9e314d3360fc1d8346297c41a6ee45cb45a9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a4994161a61bc8fd71d105c579d847cefee99262"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cc29775a8a72d7f3b56cc026796ad99bd65804a7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: can: ucan: fix out of bound read in strscpy() source", "id": "2357133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2357133"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ncan: ucan: fix out of bound read in strscpy() source\nCommit 7fdaf8966aae (\"can: ucan: use strscpy() to instead of strncpy()\")\nunintentionally introduced a one byte out of bound read on strscpy()'s\nsource argument (which is kind of ironic knowing that strscpy() is meant\nto be a more secure alternative :)).\nLet's consider below buffers:\ndest[len + 1]; /* will be NUL terminated */\nsrc[len]; /* may not be NUL terminated */\nWhen doing:\nstrncpy(dest, src, len);\ndest[len] = '\\0';\nstrncpy() will read up to len bytes from src.\nOn the other hand:\nstrscpy(dest, src, len + 1);\nwill read up to len + 1 bytes from src, that is to say, an out of bound\nread of one byte will occur on src if it is not NUL terminated. Note\nthat the src[len] byte is never copied, but strscpy() still needs to\nread it to check whether a truncation occurred or not.\nThis exact pattern happened in ucan.\nThe root cause is that the source is not NUL terminated. Instead of\ndoing a copy in a local buffer, directly NUL terminate it as soon as\nusb_control_msg() returns. With this, the local firmware_str[] variable\ncan be removed.\nOn top of this do a couple refactors:\n- ucan_ctl_payload->raw is only used for the firmware string, so\nrename it to ucan_ctl_payload->fw_str and change its type from u8 to\nchar.\n- ucan_device_request_in() is only used to retrieve the firmware\nstring, so rename it to ucan_get_fw_str() and refactor it to make it\ndirectly handle all the string termination logic."], "name": "CVE-2025-22003", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22003\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22003\nhttps://lore.kernel.org/linux-cve-announce/2025040349-CVE-2025-22003-ea29@gregkh/T"], "threat_severity": "Moderate"}