vulnerability

Ubuntu: (Multiple Advisories) (CVE-2025-22003): Linux kernel vulnerabilities

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:L/AC:L/Au:S/C:N/I:N/A:C)	Apr 3, 2025	Jun 26, 2025	Oct 16, 2025

Severity

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

Apr 3, 2025

Added

Jun 26, 2025

Modified

Oct 16, 2025

Description

In the Linux kernel, the following vulnerability has been resolved:

can: ucan: fix out of bound read in strscpy() source

Commit 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()")
unintentionally introduced a one byte out of bound read on strscpy()'s
source argument (which is kind of ironic knowing that strscpy() is meant
to be a more secure alternative :)).

Let's consider below buffers:

dest[len + 1]; /* will be NUL terminated */
src[len]; /* may not be NUL terminated */

When doing:

strncpy(dest, src, len);
dest[len] = '\0';

strncpy() will read up to len bytes from src.

On the other hand:

strscpy(dest, src, len + 1);

will read up to len + 1 bytes from src, that is to say, an out of bound
read of one byte will occur on src if it is not NUL terminated. Note
that the src[len] byte is never copied, but strscpy() still needs to
read it to check whether a truncation occurred or not.

This exact pattern happened in ucan.

The root cause is that the source is not NUL terminated. Instead of
doing a copy in a local buffer, directly NUL terminate it as soon as
usb_control_msg() returns. With this, the local firmware_str[] variable
can be removed.

On top of this do a couple refactors:

- ucan_ctl_payload->raw is only used for the firmware string, so
rename it to ucan_ctl_payload->fw_str and change its type from u8 to
char.

- ucan_device_request_in() is only used to retrieve the firmware
string, so rename it to ucan_get_fw_str() and refactor it to make it
directly handle all the string termination logic.

Solutions

ubuntu-upgrade-linux-image-6-11-0-1011-realtimeubuntu-upgrade-linux-image-6-11-0-1014-raspiubuntu-upgrade-linux-image-6-11-0-1015-awsubuntu-upgrade-linux-image-6-11-0-1015-lowlatencyubuntu-upgrade-linux-image-6-11-0-1015-lowlatency-64kubuntu-upgrade-linux-image-6-11-0-1016-gcpubuntu-upgrade-linux-image-6-11-0-1016-gcp-64kubuntu-upgrade-linux-image-6-11-0-1017-oracleubuntu-upgrade-linux-image-6-11-0-1017-oracle-64kubuntu-upgrade-linux-image-6-11-0-1018-azureubuntu-upgrade-linux-image-6-11-0-1018-azure-fdeubuntu-upgrade-linux-image-6-11-0-1024-oemubuntu-upgrade-linux-image-6-11-0-28-genericubuntu-upgrade-linux-image-6-11-0-28-generic-64kubuntu-upgrade-linux-image-6-8-0-1023-gkeopubuntu-upgrade-linux-image-6-8-0-1025-azure-nvidiaubuntu-upgrade-linux-image-6-8-0-1036-azureubuntu-upgrade-linux-image-6-8-0-1036-azure-fdeubuntu-upgrade-linux-image-6-8-0-1036-gkeubuntu-upgrade-linux-image-6-8-0-1036-gke-64kubuntu-upgrade-linux-image-6-8-0-1037-ibmubuntu-upgrade-linux-image-6-8-0-1037-oracleubuntu-upgrade-linux-image-6-8-0-1037-oracle-64kubuntu-upgrade-linux-image-6-8-0-1038-azureubuntu-upgrade-linux-image-6-8-0-1038-azure-fdeubuntu-upgrade-linux-image-6-8-0-1039-awsubuntu-upgrade-linux-image-6-8-0-1039-aws-64kubuntu-upgrade-linux-image-6-8-0-1039-nvidiaubuntu-upgrade-linux-image-6-8-0-1039-nvidia-64kubuntu-upgrade-linux-image-6-8-0-1039-nvidia-lowlatencyubuntu-upgrade-linux-image-6-8-0-1039-nvidia-lowlatency-64kubuntu-upgrade-linux-image-6-8-0-1039-raspiubuntu-upgrade-linux-image-6-8-0-1040-gcpubuntu-upgrade-linux-image-6-8-0-1040-gcp-64kubuntu-upgrade-linux-image-6-8-0-2031-raspi-realtimeubuntu-upgrade-linux-image-6-8-0-84-genericubuntu-upgrade-linux-image-6-8-0-84-generic-64kubuntu-upgrade-linux-image-6-8-0-84-lowlatencyubuntu-upgrade-linux-image-6-8-0-84-lowlatency-64kubuntu-upgrade-linux-image-6-8-0-85-genericubuntu-upgrade-linux-image-6-8-0-85-generic-64kubuntu-upgrade-linux-image-6-8-1-1034-realtimeubuntu-upgrade-linux-image-awsubuntu-upgrade-linux-image-aws-6-8ubuntu-upgrade-linux-image-aws-64kubuntu-upgrade-linux-image-aws-64k-6-8ubuntu-upgrade-linux-image-aws-64k-lts-24-04ubuntu-upgrade-linux-image-aws-lts-24-04ubuntu-upgrade-linux-image-azureubuntu-upgrade-linux-image-azure-6-11ubuntu-upgrade-linux-image-azure-6-8ubuntu-upgrade-linux-image-azure-fdeubuntu-upgrade-linux-image-azure-fde-6-11ubuntu-upgrade-linux-image-azure-fde-6-8ubuntu-upgrade-linux-image-azure-fde-edgeubuntu-upgrade-linux-image-azure-fde-lts-24-04ubuntu-upgrade-linux-image-azure-lts-24-04ubuntu-upgrade-linux-image-azure-nvidiaubuntu-upgrade-linux-image-azure-nvidia-6-8ubuntu-upgrade-linux-image-azure-nvidia-lts-24-04ubuntu-upgrade-linux-image-gcpubuntu-upgrade-linux-image-gcp-6-8ubuntu-upgrade-linux-image-gcp-64kubuntu-upgrade-linux-image-gcp-64k-6-8ubuntu-upgrade-linux-image-gcp-64k-lts-24-04ubuntu-upgrade-linux-image-gcp-lts-24-04ubuntu-upgrade-linux-image-genericubuntu-upgrade-linux-image-generic-6-8ubuntu-upgrade-linux-image-generic-64kubuntu-upgrade-linux-image-generic-64k-6-8ubuntu-upgrade-linux-image-generic-64k-hwe-22-04ubuntu-upgrade-linux-image-generic-64k-hwe-24-04ubuntu-upgrade-linux-image-generic-hwe-22-04ubuntu-upgrade-linux-image-generic-hwe-24-04ubuntu-upgrade-linux-image-generic-lpaeubuntu-upgrade-linux-image-gkeubuntu-upgrade-linux-image-gke-6-8ubuntu-upgrade-linux-image-gke-64kubuntu-upgrade-linux-image-gke-64k-6-8ubuntu-upgrade-linux-image-gkeopubuntu-upgrade-linux-image-gkeop-6-8ubuntu-upgrade-linux-image-ibmubuntu-upgrade-linux-image-ibm-6-8ubuntu-upgrade-linux-image-ibm-classicubuntu-upgrade-linux-image-ibm-lts-24-04ubuntu-upgrade-linux-image-kvmubuntu-upgrade-linux-image-lowlatencyubuntu-upgrade-linux-image-lowlatency-6-11ubuntu-upgrade-linux-image-lowlatency-6-8ubuntu-upgrade-linux-image-lowlatency-64kubuntu-upgrade-linux-image-lowlatency-64k-6-11ubuntu-upgrade-linux-image-lowlatency-64k-6-8ubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04ubuntu-upgrade-linux-image-lowlatency-64k-hwe-24-04ubuntu-upgrade-linux-image-lowlatency-hwe-22-04ubuntu-upgrade-linux-image-lowlatency-hwe-24-04ubuntu-upgrade-linux-image-nvidiaubuntu-upgrade-linux-image-nvidia-6-8ubuntu-upgrade-linux-image-nvidia-64kubuntu-upgrade-linux-image-nvidia-64k-6-8ubuntu-upgrade-linux-image-nvidia-64k-hwe-22-04ubuntu-upgrade-linux-image-nvidia-hwe-22-04ubuntu-upgrade-linux-image-nvidia-lowlatencyubuntu-upgrade-linux-image-nvidia-lowlatency-6-8ubuntu-upgrade-linux-image-nvidia-lowlatency-64kubuntu-upgrade-linux-image-nvidia-lowlatency-64k-6-8ubuntu-upgrade-linux-image-oem-22-04ubuntu-upgrade-linux-image-oem-22-04aubuntu-upgrade-linux-image-oem-22-04bubuntu-upgrade-linux-image-oem-22-04cubuntu-upgrade-linux-image-oem-22-04dubuntu-upgrade-linux-image-oem-24-04bubuntu-upgrade-linux-image-oracleubuntu-upgrade-linux-image-oracle-6-8ubuntu-upgrade-linux-image-oracle-64kubuntu-upgrade-linux-image-oracle-64k-6-8ubuntu-upgrade-linux-image-oracle-64k-lts-24-04ubuntu-upgrade-linux-image-oracle-lts-24-04ubuntu-upgrade-linux-image-raspiubuntu-upgrade-linux-image-raspi-6-8ubuntu-upgrade-linux-image-raspi-realtimeubuntu-upgrade-linux-image-raspi-realtime-6-8ubuntu-upgrade-linux-image-realtimeubuntu-upgrade-linux-image-realtime-6-8-1ubuntu-upgrade-linux-image-realtime-hwe-22-04ubuntu-upgrade-linux-image-virtualubuntu-upgrade-linux-image-virtual-6-8ubuntu-upgrade-linux-image-virtual-hwe-22-04ubuntu-upgrade-linux-image-virtual-hwe-24-04

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today