CVE-2025-68773

Linux Kernel Buffer Overflow in FSL-CPM SPI Driver via Odd-Length Transfer

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: spi: fsl-cpm: Check length parity before switching to 16 bit mode Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") failed to make sure that the size is really even before switching to 16 bit mode. Until recently the problem went unnoticed because kernfs uses a pre-allocated bounce buffer of size PAGE_SIZE for reading EEPROM. But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") introduced an additional dynamically allocated bounce buffer whose size is exactly the size of the transfer, leading to a buffer overrun in the fsl-cpm driver when that size is odd. Add the missing length parity verification and remain in 8 bit mode when the length is not even.

References (7)

Core 7

Scores

EPSS 0.0007
EPSS Percentile 21.0%

Details

Status published
Products (35)
linux/Kernel < 5.10.248linux
linux/Kernel 5.11.0 - 5.15.198linux
linux/Kernel 5.16.0 - 6.1.160linux
linux/Kernel 6.2.0 - 6.6.120linux
linux/Kernel 6.4.0 - 6.12.64linux
linux/Kernel 6.7.0 - 6.18.3linux
Linux/Linux < 6.4
Linux/Linux 36a6d0f66c874666caf4e8be155b1be30f6231be
Linux/Linux 4.14.316 - 4.15
Linux/Linux 4.19.284 - 4.20
... and 25 more
Published Jan 13, 2026
Tracked Since Feb 18, 2026