CVE-2025-38497 in Linux
Summary
by MITRE • 07/28/2025
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: configfs: Fix OOB read on empty string write
When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1]
before validating that the length 'l' is greater than zero.
This patch fixes the vulnerability by adding a check at the beginning of os_desc_qw_sign_store() and webusb_landingPage_store() to handle the zero-length input case gracefully by returning immediately.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/25/2026
This vulnerability exists within the Linux kernel's USB gadget subsystem, specifically in the configfs interface implementation that manages operating system descriptors. The issue manifests when attempting to write empty strings to the qw_sign or landingPage sysfs attributes, which are used to configure USB device identification and webUSB landing page information. The flaw represents a classic out-of-bounds read condition that occurs before proper input validation, creating a potential security risk for systems utilizing USB gadget functionality.
The technical implementation of this vulnerability stems from improper input validation in the store functions responsible for handling sysfs attribute writes. When an empty string is written to either the os_desc_qw_sign_store() or webusb_landingPage_store() functions, the code attempts to access memory location page[l - 1] without first verifying that the input length parameter l exceeds zero. This condition creates a scenario where the code dereferences a memory location that may be outside the allocated buffer boundaries, potentially leading to information disclosure or system instability.
The operational impact of this vulnerability extends beyond simple memory access violations, as it could enable attackers to exploit the out-of-bounds read condition to extract sensitive kernel memory contents or potentially cause system crashes. Systems running Linux kernels with USB gadget support are particularly vulnerable, especially those implementing webUSB functionality or custom USB device configurations that rely on the affected sysfs attributes. This vulnerability aligns with CWE-129, which addresses improper validation of array indices, and represents a specific case of insufficient input validation in kernel space code.
The patch addressing this vulnerability implements a straightforward but critical fix by adding an initial validation check at the beginning of both affected store functions. This defensive programming approach ensures that zero-length inputs are handled gracefully by returning immediately from the function before any memory access operations occur. This mitigation strategy follows established security best practices for preventing buffer over-read conditions and aligns with ATT&CK technique T1068, which covers privilege escalation through kernel vulnerabilities. The fix demonstrates proper input validation principles that should be applied across all kernel subsystems handling user-provided data, particularly in sysfs interfaces where untrusted input can be directly passed to kernel memory operations.