CVE-2025-22003

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A vulnerability has been resolved in the Linux kernel. The issue is related to an out of bound read in the strscpy() function. This occurred when the source buffer was not null-terminated, causing strscpy() to read one byte beyond the buffer's length. The root cause is that the source buffer is not null-terminated. The problem arose from a commit that replaced strncpy() with strscpy() in the ucan code.

Recommendations To resolve the issue, directly null-terminate the source buffer as soon as usb control msg() returns, eliminating the need for a local copy of the firmware string. Refactor ucan ctl payload->raw to ucan ctl payload->fw str and change its type from u8 to char, as it is only used for the firmware string. Rename ucan device request in() to ucan get fw str() and refactor it to handle the string termination logic directly. At the moment, there is no information about a newer version that contains a fix for this vulnerability.