CVE-2025-68288

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A kernel memory leak exists in USB storage devices when they incorrectly skip the data phase with status data. The code validates the CSW from the sg buffer but fails to clear it, potentially leaking USB protocol data to user space through SCSI generic (/dev/sg*) interfaces. The leaked data includes the US BULK CS SIGN 'USBS' signature and can be observed when requesting data, such as 512 KiB. The issue is resolved by zeroing the CSW data in the srb's transfer buffer after validation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

AZL-72631

CVE-2025-68288

ECHO-6CC4-CC58-D5C2

MGASA-2026-0017

MGASA-2026-0018

OESA-2026-1303

OESA-2026-1304

OESA-2026-1305

OESA-2026-2416

USN-8094-1

USN-8094-2

USN-8094-3

USN-8094-4

USN-8094-5

USN-8095-1

USN-8095-2

USN-8095-3

USN-8095-4

USN-8095-5

USN-8096-1

USN-8096-2

USN-8096-3

USN-8096-4

USN-8096-5

USN-8100-1

USN-8116-1

USN-8125-1

USN-8126-1

USN-8141-1

USN-8152-1

USN-8163-1

USN-8163-2

USN-8165-1

USN-8243-1

USN-8261-1

Affected Products

Debian

Linuxmint

Linux Kernel

Ubuntu

CVE-2025-68288

Related Identifiers

Affected Products

References · 1759