Linux Kernel up to 6.12.25/6.14.4/6.15-rc3 mei vsc-tp.c buf[] buffer overflow

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.6 | $0-$5k | 0.00 |
Summary
A vulnerability labeled as critical has been found in Linux Kernel up to 6.12.25/6.14.4/6.15-rc3. The impacted element is an unknown function of the file vsc-tp.c of the component mei. Executing a manipulation of the argument buf[] can lead to buffer overflow. This vulnerability is handled as CVE-2025-37816. There is not any exploit available. The affected component should be upgraded.
Details
A vulnerability was found in Linux Kernel up to 6.12.25/6.14.4/6.15-rc3. It has been declared as critical. This vulnerability affects an unknown part of the file vsc-tp.c of the component mei. The manipulation of the argument buf[] with an unknown input leads to a buffer overflow vulnerability. The CWE definition for the vulnerability is CWE-120. The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:
In the Linux kernel, the following vulnerability has been resolved: mei: vsc: Fix fortify-panic caused by invalid counted_by() use gcc 15 honors the __counted_by(len) attribute on vsc_tp_packet.buf[] and the vsc-tp.c code is using this in a wrong way. len does not contain the available size in the buffer, it contains the actual packet length *without* the crc. So as soon as vsc_tp_xfer() tries to add the crc to buf[] the fortify-panic handler gets triggered: [ 80.842193] memcpy: detected buffer overflow: 4 byte write of buffer size 0 [ 80.842243] WARNING: CPU: 4 PID: 272 at lib/string_helpers.c:1032 __fortify_report+0x45/0x50 ... [ 80.843175] __fortify_panic+0x9/0xb [ 80.843186] vsc_tp_xfer.cold+0x67/0x67 [mei_vsc_hw] [ 80.843210] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 [ 80.843229] ? lockdep_hardirqs_on+0x7c/0x110 [ 80.843250] mei_vsc_hw_start+0x98/0x120 [mei_vsc] [ 80.843270] mei_reset+0x11d/0x420 [mei] The easiest fix would be to just drop the counted-by but with the exception of the ack buffer in vsc_tp_xfer_helper() which only contains enough room for the packet-header, all other uses of vsc_tp_packet always use a buffer of VSC_TP_MAX_XFER_SIZE bytes for the packet. Instead of just dropping the counted-by, split the vsc_tp_packet struct definition into a header and a full-packet definition and use a fixed size buf[] in the packet definition, this way fortify-source buffer overrun checking still works when enabled.
The advisory is shared for download at git.kernel.org. This vulnerability was named CVE-2025-37816 since 04/16/2025. The exploitation appears to be easy. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 11/13/2025).
The vulnerability scanner Nessus provides a plugin with the ID 240657 (Ubuntu 25.04 : Linux kernel vulnerabilities (USN-7594-1)), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 6.12.26, 6.14.5 or 6.15-rc4 eliminates this vulnerability. Applying the patch 3e243378f27cc7d11682a3ad720228b0723affa5/ac04663c67f244810b3492e9ecd9f7cdbefeca2d/00f1cc14da0f06d2897b8c528df7c7dcf1b8da50 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the vulnerability database at Tenable (240657). Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
- 6.12.0
- 6.12.1
- 6.12.2
- 6.12.3
- 6.12.4
- 6.12.5
- 6.12.6
- 6.12.7
- 6.12.8
- 6.12.9
- 6.12.10
- 6.12.11
- 6.12.12
- 6.12.13
- 6.12.14
- 6.12.15
- 6.12.16
- 6.12.17
- 6.12.18
- 6.12.19
- 6.12.20
- 6.12.21
- 6.12.22
- 6.12.23
- 6.12.24
- 6.12.25
- 6.14.0
- 6.14.1
- 6.14.2
- 6.14.3
- 6.14.4
- 6.15-rc1
- 6.15-rc2
- 6.15-rc3
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.8VulDB Meta Temp Score: 6.6
VulDB Base Score: 8.0
VulDB Temp Score: 7.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 5.5
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Buffer overflowCWE: CWE-120 / CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 240657
Nessus Name: Ubuntu 25.04 : Linux kernel vulnerabilities (USN-7594-1)
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Kernel 6.12.26/6.14.5/6.15-rc4
Patch: 3e243378f27cc7d11682a3ad720228b0723affa5/ac04663c67f244810b3492e9ecd9f7cdbefeca2d/00f1cc14da0f06d2897b8c528df7c7dcf1b8da50
Timeline
04/16/2025 🔍05/08/2025 🔍
05/08/2025 🔍
11/13/2025 🔍
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2025-37816 (🔍)
GCVE (CVE): GCVE-0-2025-37816
GCVE (VulDB): GCVE-100-307996
Entry
Created: 05/08/2025 09:05Updated: 11/13/2025 01:02
Changes: 05/08/2025 09:05 (60), 06/27/2025 22:49 (2), 11/13/2025 01:01 (10), 11/13/2025 01:02 (5)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.