CVE-2022-25375 in Linux
Summary
by MITRE • 02/21/2022
An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/18/2025
The vulnerability identified as CVE-2022-25375 resides within the Linux kernel's USB gadget implementation, specifically in the rndis.c driver file that handles RNDIS (Remote Network Driver Interface Specification) protocol functionality. This flaw affects Linux kernel versions prior to 5.16.10 and represents a critical information disclosure vulnerability that can be exploited by remote attackers to extract sensitive data from kernel memory spaces. The RNDIS protocol is commonly used in USB gadget configurations to provide network connectivity between host and device systems, making this vulnerability particularly concerning for embedded systems and network appliances that rely on USB networking capabilities.
The technical root cause of this vulnerability stems from inadequate input validation within the RNDIS_MSG_SET command processing logic. When the USB gadget receives a RNDIS_MSG_SET command from a remote client, the kernel fails to properly validate the size parameter associated with the command structure. This validation gap allows attackers to craft malicious RNDIS messages with oversized or malformed size fields that can trigger buffer over-read conditions. The vulnerability manifests as a lack of proper bounds checking on the command size parameter, which enables attackers to manipulate the memory access patterns during command processing. According to CWE classification, this corresponds to CWE-129: Improper Validation of Array Index, as the vulnerability involves insufficient validation of input data that controls memory access operations. The flaw operates at the kernel level where memory addresses and data structures are accessed without proper sanitization of user-supplied parameters.
The operational impact of CVE-2022-25375 extends beyond simple information disclosure, as it can potentially expose sensitive kernel memory contents including cryptographic keys, session tokens, network credentials, and other confidential data structures. Attackers exploiting this vulnerability can leverage the lack of size validation to perform memory reads beyond the intended boundaries of the RNDIS command structures, potentially accessing adjacent memory regions that contain valuable information. This vulnerability is particularly dangerous in environments where USB gadgets serve as network interfaces for network infrastructure devices, embedded systems, or IoT appliances. The attack surface is broad as any system running affected Linux kernel versions with USB gadget support and RNDIS functionality enabled could be compromised. The vulnerability aligns with ATT&CK technique T1059.001 (Command and Scripting Interpreter: PowerShell) and T1566.001 (Phishing: Spearphishing Attachment) as attackers can potentially use information obtained from kernel memory to conduct more sophisticated attacks or privilege escalation attempts.
Mitigation strategies for CVE-2022-25375 primarily involve upgrading to Linux kernel version 5.16.10 or later where the vulnerability has been patched through proper input validation implementation. System administrators should also implement network segmentation and access controls to limit exposure of USB gadget interfaces to untrusted networks. Additional protective measures include monitoring for unusual RNDIS traffic patterns and implementing kernel hardening techniques such as stack canaries and address space layout randomization. The patch for this vulnerability specifically addresses the missing size validation by adding proper bounds checking to ensure that RNDIS_MSG_SET command sizes fall within acceptable ranges before processing. Organizations should also consider disabling USB gadget functionality when not required and implementing proper network monitoring to detect potential exploitation attempts. This vulnerability demonstrates the importance of thorough input validation in kernel drivers and highlights the need for comprehensive security testing of network protocol implementations in operating system kernels.