EUVD-2025-20916

| CVE-2025-38330 HIGH
2025-07-10 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Buffer Overflow Linux Denial Of Service Linux Kernel Redhat Suse
7.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-20916
Patch Released
Mar 16, 2026 - 06:52 nvd
Patch available
CVE Published
Jul 10, 2025 - 09:15 nvd
HIGH 7.1

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

firmware: cs_dsp: Fix OOB memory read access in KUnit test (ctl cache)

KASAN reported out of bounds access - cs_dsp_ctl_cache_init_multiple_offsets(). The code uses mock_coeff_template.length_bytes (4 bytes) for register value allocations. But later, this length is set to 8 bytes which causes test code failures.

As fix, just remove the lenght override, keeping the original value 4 for all operations.

AnalysisAI

CVE-2025-38330 is an out-of-bounds memory read vulnerability in the Linux kernel's cs_dsp firmware driver, specifically within KUnit test code for control cache initialization. The vulnerability allows a local attacker with low privileges to read sensitive kernel memory, potentially leading to information disclosure and denial of service. This is a kernel testing/development issue rather than a production runtime vulnerability, with no evidence of active exploitation in the wild.

Technical ContextAI

The vulnerability exists in the linux kernel's cs_dsp (Cirrus Logic DSP) firmware subsystem, specifically in the cs_dsp_ctl_cache_init_multiple_offsets() function used during KUnit testing. The root cause is CWE-125 (Out-of-bounds Read) where mock coefficient template data allocated with a 4-byte length is later overridden to 8 bytes, causing subsequent memory accesses to read beyond allocated buffer boundaries. The cs_dsp driver is a kernel firmware loader for Cirrus Logic digital signal processors used in audio hardware. The vulnerability manifests in test code rather than production kernel code, affecting developers running kernel self-tests with KASAN (Kernel Address Sanitizer) enabled. CPE context: linux kernel versions containing the affected cs_dsp subsystem.

RemediationAI

Remove the length override in the mock_coeff_template initialization within the cs_dsp KUnit test, restoring the original 4-byte length value for all buffer allocation and access operations. Patch: Apply the Linux kernel commit that removes the problematic length field override in cs_dsp_ctl_cache_init_multiple_offsets(). Affected developers should: (1) Update to a patched Linux kernel version containing this fix; (2) Apply the specific commit to drivers/firmware/cirrus/cs_dsp.c if running custom kernel builds; (3) Run git log --grep='cs_dsp_ctl_cache' or similar to identify the exact patch commit. For production systems: compile kernel without CONFIG_KUNIT or CONFIG_KASAN if not needed for development, though these are typically disabled in production builds anyway.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye fixed 5.10.223-1 -
bullseye (security) fixed 5.10.251-1 -
bookworm fixed 6.1.159-1 -
bookworm (security) fixed 6.1.164-1 -
trixie fixed 6.12.73-1 -
trixie (security) fixed 6.12.74-2 -
forky fixed 6.19.6-2 -
sid fixed 6.19.8-1 -
(unstable) not-affected - -

Share

EUVD-2025-20916 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy