CVE-2025-38480— comedi: Fix use of uninitialized data in insn_rw_emulate_bits()
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-38480
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
comedi: Fix use of uninitialized data in insn_rw_emulate_bits()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_read` and/or `insn_write` function handler pointers are set to point to the `insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the supplied `data[0]` value is a valid copy from user memory. It will at least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in "comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are allocated. However, if `insn->n` is 0 (which is allowable for `INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain uninitialized data, and certainly contains invalid data, possibly from a different instruction in the array of instructions handled by `do_insnlist_ioctl()`. This will result in an incorrect value being written to the digital output channel (or to the digital input/output channel if configured as an output), and may be reflected in the internal saved state of the channel. Fix it by returning 0 early if `insn->n` is 0, before reaching the code that accesses `data[0]`. Previously, the function always returned 1 on success, but it is supposed to be the number of data samples actually read or written up to `insn->n`, which is 0 in this case.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于insn_rw_emulate_bits函数中使用未初始化数据。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-38480
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-38480
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-07-28 · 29 CVEs total
| CVE-2025-38484 | iio: backend: fix out-of-bound write | |
| CVE-2025-38497 | usb: gadget: configfs: Fix OOB read on empty string write | |
| CVE-2025-38496 | dm-bufio: fix sched in atomic context | |
| CVE-2025-38495 | HID: core: ensure the allocated report buffer can contain the reserved report ID | |
| CVE-2025-38494 | HID: core: do not bypass hid_hw_raw_request | |
| CVE-2025-38493 | tracing/osnoise: Fix crash in timerlat_dump_stack() | |
| CVE-2025-38492 | netfs: Fix race between cache write completion and ALL_QUEUED being set | |
| CVE-2025-38491 | mptcp: make fallback action and fallback decision atomic | |
| CVE-2025-38490 | net: libwx: remove duplicate page_pool_put_full_page() | |
| CVE-2025-38489 | s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again | |
| CVE-2025-38488 | smb: client: fix use-after-free in crypt_message when using async crypto | |
| CVE-2025-38487 | soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled | |
| CVE-2025-38485 | iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush | |
| CVE-2025-38486 | soundwire: Revert "soundwire: qcom: Add set_channel_map api support" | |
| CVE-2025-38468 | net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree | |
| CVE-2025-38483 | comedi: das16m1: Fix bit shift out of bounds | |
| CVE-2025-38482 | comedi: das6402: Fix bit shift out of bounds | |
| CVE-2025-38481 | comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large | |
| CVE-2025-38478 | comedi: Fix initialization of data for instructions that write to subdevice | |
| CVE-2025-38477 | net/sched: sch_qfq: Fix race condition on qfq_aggregate |
Showing top 20 of 29 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2025-38480
No comments yet