CVE-2025-21704 Overview
A memory corruption vulnerability has been discovered in the Linux kernel's USB CDC-ACM (Communications Device Class - Abstract Control Model) driver. The vulnerability exists in the acm_ctrl_irq() function, which fails to properly validate the control transfer buffer size before accessing the struct usb_cdc_notification data structure. When the first fragment of a USB notification is shorter than the expected notification structure, the driver reads lengths from memory outside the received data buffer, leading to out-of-bounds memory access.
Critical Impact
Local attackers with low privileges can exploit this vulnerability to achieve memory corruption, potentially leading to privilege escalation, information disclosure, or system crashes on systems with USB CDC-ACM devices.
Affected Products
- Linux Kernel versions 2.6.12 through current releases (prior to patch)
- Linux Kernel 6.14-rc1 and 6.14-rc2
- Systems running ModemManager with automatic USB device detection
Discovery Timeline
- February 22, 2025 - CVE CVE-2025-21704 published to NVD
- November 03, 2025 - Last updated in NVD database
Technical Details for CVE-2025-21704
Vulnerability Analysis
The vulnerability resides in the CDC-ACM driver's handling of fragmented USB control notifications. The acm_ctrl_irq() function processes incoming USB notifications, which can arrive as multiple fragments that are reassembled. The flaw occurs when calculating the expected_size variable from notification data without first verifying that the received buffer contains sufficient data.
When a maliciously crafted or malformed first fragment is smaller than struct usb_cdc_notification, the driver reads length values from memory beyond the actual received data. This becomes particularly dangerous during fragment reassembly, where if the expected_size value decreases between fragments, the calculation expected_size - acm->nb_index wraps due to integer underflow, causing out-of-bounds memory writes.
While this issue has existed since the early Linux kernel versions (2.6.12), it only became exploitable for memory corruption after commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications") introduced fragment reassembly functionality.
Root Cause
The root cause is improper input validation in the USB CDC-ACM notification handler. The driver assumes that incoming USB control transfer buffers will always contain at least sizeof(struct usb_cdc_notification) bytes before attempting to access the notification structure fields. This assumption fails when dealing with:
- Maliciously crafted USB devices sending undersized notifications
- Hardware malfunctions causing truncated transfers
- Protocol violations from non-compliant USB devices
The fix adds proper bounds checking to verify the buffer size before accessing notification data and logs an error message when discarding invalid notifications.
Attack Vector
The vulnerability requires local access to the system and is triggered through USB device interaction. The attack surface includes:
The acm_ctrl_irq() function only executes after userspace has opened a /dev/ttyACM* device. However, systems running ModemManager will automatically probe and open these devices based on USB vendor/product IDs, significantly expanding the attack surface without user interaction. An attacker could potentially craft a malicious USB device that sends undersized notification fragments to trigger the memory corruption.
Detection Methods for CVE-2025-21704
Indicators of Compromise
- Kernel error messages related to CDC-ACM buffer size validation failures in system logs
- Unexpected kernel panics or system crashes when connecting USB modem or serial devices
- Memory corruption symptoms such as kernel oops messages referencing the cdc-acm module
- Suspicious USB device connections with non-standard notification packet sizes
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for CDC-ACM related errors or warnings
- Deploy kernel tracing (ftrace, perf) to monitor acm_ctrl_irq() function behavior
- Use USB traffic analysis tools to detect malformed CDC-ACM notification packets
- Implement endpoint detection rules for systems with USB CDC-ACM devices connected
Monitoring Recommendations
- Enable kernel audit logging for USB device attach/detach events
- Monitor for ModemManager service activity on systems where it should not be running
- Track /dev/ttyACM* device access patterns for anomalous behavior
- Deploy SentinelOne agents configured to detect kernel-level exploitation attempts
How to Mitigate CVE-2025-21704
Immediate Actions Required
- Update the Linux kernel to a patched version from your distribution's repositories
- Disable or unload the cdc-acm kernel module if USB modem functionality is not required: modprobe -r cdc_acm
- Stop and disable ModemManager service on systems that don't require cellular modem functionality
- Restrict physical USB access on sensitive systems to prevent malicious device connections
Patch Information
Multiple patches have been released to address this vulnerability across various kernel versions. The fix adds proper buffer size validation before accessing the notification structure and safely discards undersized notifications with an appropriate error log.
Available patches from the kernel stable tree:
- Kernel commit 383d516a0ebc
- Kernel commit 6abb510251e7
- Kernel commit 7828e9363ac4
- Kernel commit 871619c2b78f
Additional security advisories are available from Debian LTS and Google Project Zero.
Workarounds
- Blacklist the cdc_acm module by adding blacklist cdc_acm to /etc/modprobe.d/blacklist.conf
- Disable USB hotplug for ACM class devices via udev rules to prevent automatic device enumeration
- Restrict access to /dev/ttyACM* devices using appropriate file permissions or SELinux/AppArmor policies
# Disable the cdc_acm module
echo "blacklist cdc_acm" >> /etc/modprobe.d/blacklist-cdc-acm.conf
echo "install cdc_acm /bin/false" >> /etc/modprobe.d/blacklist-cdc-acm.conf
# Stop ModemManager if not needed
systemctl stop ModemManager
systemctl disable ModemManager
# Unload the module if currently loaded
modprobe -r cdc_acm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
