CVE-2025-38348 in Linux
Summary
by MITRE • 07/10/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()
Robert Morris reported:
|If a malicious USB device pretends to be an Intersil p54 wifi |interface and generates an eeprom_readback message with a large |eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the |message beyond the end of priv->eeprom. | |static void p54_rx_eeprom_readback(struct p54_common *priv, | struct sk_buff *skb) |{
| struct p54_hdr *hdr = (struct p54_hdr *) skb->data; | struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data; | | if (priv->fw_var >= 0x509) {
| memcpy(priv->eeprom, eeprom->v2.data, | le16_to_cpu(eeprom->v2.len)); | } else {
| memcpy(priv->eeprom, eeprom->v1.data, | le16_to_cpu(eeprom->v1.len)); | } | [...]
The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom().
The device is supposed to provide the same length back to the driver. But yes, it's possible (like shown in the report) to alter the value to something that causes a crash/panic due to overrun.
This patch addresses the issue by adding the size to the common device context, so p54_rx_eeprom_readback no longer relies on possibly tampered values... That said, it also checks if the "firmware" altered the value and no longer copies them.
The one, small saving grace is: Before the driver tries to read the eeprom, it needs to upload >a< firmware. the vendor firmware has a proprietary license and as a reason, it is not present on most distributions by default.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/16/2025
The vulnerability CVE-2025-38348 represents a critical buffer overflow condition within the Linux kernel's p54 wireless driver implementation that specifically affects devices utilizing Intersil p54 WiFi interfaces. This flaw exists in the p54_rx_eeprom_readback() function which processes EEPROM readback messages from USB-based wireless devices. The issue stems from insufficient input validation when handling the eeprom->v1.len and eeprom->v2.len fields that are populated by malicious USB devices attempting to impersonate legitimate p54 WiFi hardware. The vulnerability operates through a classic buffer overflow attack vector where an attacker-controlled device can manipulate the length parameters to cause memory corruption beyond the allocated priv->eeprom buffer boundaries. This represents a direct violation of CWE-121, which addresses stack-based buffer overflow conditions, and also aligns with CWE-787, concerning out-of-bounds write operations. The attack scenario involves a malicious USB device that mimics an Intersil p54 WiFi interface and sends specially crafted eeprom_readback messages with inflated length values that exceed the actual buffer capacity.
The technical execution of this vulnerability occurs during the wireless driver's EEPROM reading process where the kernel's p54_common structure contains a fixed-size EEPROM buffer that gets overwritten when the driver attempts to copy data based on attacker-controlled length parameters. The function p54_rx_eeprom_readback() performs a memcpy operation using the potentially tampered length values without proper bounds checking, leading to memory corruption that can result in system crashes, kernel panics, or potentially arbitrary code execution. The vulnerability is particularly concerning because it operates at the kernel level and can be triggered through USB device interaction, making it exploitable via physical access or malicious device insertion. This attack vector aligns with ATT&CK technique T1059.001 for command and scripting interpreter execution and T1068 for exploit for privilege escalation. The specific code path involves the driver's firmware download process where p54_download_eeprom() sets the initial length values that are then expected to be returned verbatim by the device during the readback phase.
The operational impact of CVE-2025-38348 extends beyond simple system crashes to potentially enable privilege escalation and system compromise in environments where USB devices are not properly restricted. The vulnerability affects systems running Linux kernels with the p54 wireless driver enabled and can be exploited through any USB device that attempts to communicate with the kernel using the p54 protocol. The patch implementation addresses this by introducing a size validation mechanism that prevents the use of potentially corrupted length values and ensures that the driver maintains proper bounds checking before performing memory operations. The mitigation strategy involves maintaining a proper size context within the device's common structure to prevent reliance on attacker-controlled values. The vulnerability's severity is compounded by the fact that the necessary firmware components are typically proprietary and not included in default distributions, making system administrators less aware of the potential risk. This aligns with the broader class of vulnerabilities categorized under the ATT&CK framework as privilege escalation techniques, particularly those involving driver-level exploits. The vulnerability demonstrates a fundamental flaw in input validation and memory management practices within kernel drivers, emphasizing the importance of proper bounds checking and secure coding practices for device drivers that handle untrusted input data from external hardware devices. The security implications extend to environments where USB device access is not restricted, as the vulnerability can be exploited through simple physical device insertion without requiring network access or advanced attack capabilities.