CVE-2025-21689

USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()

Description

In the Linux kernel, the following vulnerability has been resolved: USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() This patch addresses a null-ptr-deref in qt2_process_read_urb() due to an incorrect bounds check in the following: if (newport > serial->num_ports) { dev_err(&port->dev, "%s - port change to invalid port: %i\n", __func__, newport); break; } The condition doesn't account for the valid range of the serial->port buffer, which is from 0 to serial->num_ports - 1. When newport is equal to serial->num_ports, the assignment of "port" in the following code is out-of-bounds and NULL: serial_priv->current_port = newport; port = serial->port[serial_priv->current_port]; The fix checks if newport is greater than or equal to serial->num_ports indicating it is out-of-bounds.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/fa4c7472469d97c4707698b4c0e098f8cfc2bf22 patch
https://git.kernel.org/stable/c/94770cf7c5124f0268d481886829dc2beecc4507 patch
https://git.kernel.org/stable/c/6068dcff7f19e9fa6fa23ee03453ad6a40fa4efe patch
https://git.kernel.org/stable/c/4b9b41fabcd38990f69ef0cee9c631d954a2b530 patch
https://git.kernel.org/stable/c/6377838560c03b36e1153a42ef727533def9b68f patch
https://git.kernel.org/stable/c/f371471708c7d997f763b0e70565026eb67cc470 patch
https://git.kernel.org/stable/c/8542b33622571f54dfc2a267fce378b6e3840b8b patch
https://git.kernel.org/stable/c/575a5adf48b06a2980c9eeffedf699ed5534fade patch

Frequently Asked Questions

What is the severity of CVE-2025-21689?
CVE-2025-21689 has been scored as a medium severity vulnerability.
How to fix CVE-2025-21689?
To fix CVE-2025-21689, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-21689 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-21689 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-21689?
CVE-2025-21689 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.