CVE-2025-38680 in Linuxinfo

Summary

by MITRE • 09/04/2025

In the Linux kernel, the following vulnerability has been resolved:

media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()

The buffer length check before calling uvc_parse_format() only ensured that the buffer has at least 3 bytes (buflen > 2), buf the function accesses buffer[3], requiring at least 4 bytes.

This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.

Fix it by checking that the buffer has at least 4 bytes in uvc_parse_format().

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/10/2026

The vulnerability identified as CVE-2025-38680 represents a critical out-of-bounds memory access flaw within the Linux kernel's USB video class driver implementation. This issue specifically affects the uvcvideo subsystem responsible for handling USB video devices such as webcams and digital cameras. The vulnerability stems from an insufficient buffer length validation mechanism that fails to account for the actual memory access requirements of the uvc_parse_format() function, creating a potential security risk that could be exploited by malicious actors.

The technical flaw manifests in the validation logic of the uvcvideo driver where the buffer length check performs a basic verification ensuring that the input buffer contains more than two bytes, specifically checking buflen > 2. However, this validation proves inadequate as the uvc_parse_format() function subsequently attempts to access buffer[3], which requires a minimum of four bytes to be safely accessible. When a buffer containing exactly three bytes is processed, the function attempts to read beyond the allocated memory boundaries, resulting in an out-of-bounds read condition that can potentially expose sensitive kernel memory contents or cause system instability.

This type of vulnerability falls under CWE-129, which specifically addresses insufficient validation of length of inputs to ensure they are within expected bounds, and more broadly relates to CWE-787, which covers out-of-bounds write operations. The operational impact of this vulnerability extends beyond simple memory corruption as it can potentially allow attackers to extract kernel memory information, which may contain sensitive data such as cryptographic keys, credentials, or other confidential system information. The vulnerability is particularly concerning in environments where USB video devices are frequently used, as it could be exploited through malicious USB devices or compromised device drivers.

The fix implemented addresses this issue by strengthening the buffer validation logic to ensure that uvc_parse_format() only processes buffers containing at least four bytes of data before attempting any memory access operations. This modification aligns with the principle of defensive programming and follows established security practices for preventing buffer overflow conditions. The mitigation strategy directly addresses the root cause by enforcing proper boundary checking before memory access operations, thereby preventing the out-of-bounds read condition that could lead to information disclosure or system compromise.

From an ATT&CK framework perspective, this vulnerability could be leveraged as part of a broader exploitation chain under techniques such as T1059.007 for command execution through kernel modules and T1566.001 for initial access via physical or network-based attack vectors. The vulnerability represents a medium to high severity risk depending on the system configuration and usage patterns, particularly in enterprise environments where USB video devices are commonly deployed and where the potential for privilege escalation through kernel memory exposure exists. The fix demonstrates the importance of comprehensive input validation and proper boundary checking in kernel space operations, reinforcing the need for rigorous security testing of device drivers and kernel subsystems.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/04/2025

Moderation

accepted

CPE

ready

EPSS

0.00164

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!