CVE-2025-40004

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A buffer overflow issue exists in the USB 9pfs transport layer. Inconsistent size validation between packet header parsing and actual data copying allows a malicious USB host to overflow heap buffers. The vulnerability occurs because usb9pfs rx header() validates only the declared size in the packet header, while usb9pfs rx complete() uses req->actual (actual received bytes) for memcpy. This discrepancy allows an attacker to create packets with a small declared size, bypassing validation, but with a large actual payload, triggering an overflow during the memcpy operation. The vulnerable functions are usb9pfs rx header() and usb9pfs rx complete(). The variable req->actual is used in the vulnerable memcpy operation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.