CVE-2025-68343
Linux Kernel Use-After-Free in gs_usb_receive_bulk_callback
Title source: llmDescription
In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header The driver expects to receive a struct gs_host_frame in gs_usb_receive_bulk_callback(). Use struct_group to describe the header of the struct gs_host_frame and check that we have at least received the header before accessing any members of it. To resubmit the URB, do not dereference the pointer chain "dev->parent->hf_size_rx" but use "parent->hf_size_rx" instead. Since "urb->context" contains "parent", it is always defined, while "dev" is not defined if the URB it too short.
References (5)
Core 5
Core References
Scores
EPSS
0.0002
EPSS Percentile
6.4%
Details
Status
published
Products (16)
linux/Kernel
3.16.0 - 6.1.159linux
linux/Kernel
6.13.0 - 6.17.11linux
linux/Kernel
6.2.0 - 6.6.119linux
linux/Kernel
6.7.0 - 6.12.61linux
Linux/Linux
< 3.16
Linux/Linux
3.16
Linux/Linux
6.1.159 - 6.1.*
Linux/Linux
6.12.61 - 6.12.*
Linux/Linux
6.17.11 - 6.17.*
Linux/Linux
6.18
... and 6 more
Published
Dec 23, 2025
Tracked Since
Feb 18, 2026