CVE-2025-37810 – This CVE describes an out-of-bounds memory acce... (How to Fix)

Q: What is the severity of CVE-2025-37810?

CVE-2025-37810 has a CVSS score of 7.8 (HIGH). This CVE describes an out-of-bounds memory access vulnerability in the Linux kernel's DWC3 USB gadget driver. An attacker could trigger a kernel crash or potentially execute arbitrary code by sending specially crafted USB events that exceed the allocated event buffer. This affects systems using the affected Linux kernel versions with DWC3 USB gadget functionality enabled.

📋 TL;DR

This CVE describes an out-of-bounds memory access vulnerability in the Linux kernel's DWC3 USB gadget driver. An attacker could trigger a kernel crash or potentially execute arbitrary code by sending specially crafted USB events that exceed the allocated event buffer. This affects systems using the affected Linux kernel versions with DWC3 USB gadget functionality enabled.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions not specified in CVE, but patches exist in stable kernel trees. Likely affects multiple kernel versions before the fix commits.

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if DWC3 USB gadget driver is enabled and in use. Many systems may not have this functionality enabled by default.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or potential arbitrary code execution with kernel privileges resulting in complete system compromise.

🟠

Likely Case

Kernel panic causing system crash and denial of service, requiring physical access or reboot to restore functionality.

🟢

If Mitigated

No impact if the system is patched or doesn't use DWC3 USB gadget functionality.

🌐 Internet-Facing: LOW - Requires physical USB access or local USB gadget emulation, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Could be exploited by malicious USB devices or through USB gadget emulation by local users.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to send USB events to the DWC3 controller, typically requiring physical USB access or USB gadget emulation capabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in stable kernel commits: 015c39f38e69a491d2abd5e98869a500a9459b3b, 52a7c9d930b95aa8b1620edaba4818040c32631f, 63ccd26cd1f6600421795f6ca3e625076be06c9f, 99d655119b870ee60e4dbf310aa9a1ed8d9ede3d, a44547015287a19001384fe94dbff84c92ce4ee1

Vendor Advisory: https://git.kernel.org/stable/c/

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable DWC3 USB gadget functionality

linux

Disable the vulnerable DWC3 USB gadget driver if not needed

modprobe -r dwc3_gadget
echo 'blacklist dwc3_gadget' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Restrict physical USB access to trusted devices only
Disable USB gadget functionality if not required for system operation

🔍 How to Verify

Check if Vulnerable:

Check if DWC3 gadget module is loaded: lsmod | grep dwc3_gadget. If loaded and kernel version is unpatched, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Check kernel version includes fix commits or verify DWC3 gadget module is not loaded if disabled.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages related to DWC3 or USB gadget
OOM or memory access violation in kernel logs
System crash/reboot events

Network Indicators:

No network indicators - local USB-based attack

SIEM Query:

source="kernel" AND ("dwc3" OR "USB gadget" OR "kernel panic")

📊 Metadata

CVE ID: CVE-2025-37810

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 0.03% exploit probability (6.4th percentile)

Published: May 8, 2025

Last Updated: November 12, 2025

🔗 References

https://git.kernel.org/stable/c/015c39f38e69a491d2abd5e98869a500a9459b3b Patch
https://git.kernel.org/stable/c/52a7c9d930b95aa8b1620edaba4818040c32631f Patch
https://git.kernel.org/stable/c/63ccd26cd1f6600421795f6ca3e625076be06c9f Patch
https://git.kernel.org/stable/c/99d655119b870ee60e4dbf310aa9a1ed8d9ede3d Patch
https://git.kernel.org/stable/c/a44547015287a19001384fe94dbff84c92ce4ee1 Patch
https://git.kernel.org/stable/c/b43225948b231b3f331194010f84512bee4d9f59 Patch
https://git.kernel.org/stable/c/c0079630f268843a25ed75226169cba40e0d8880 Patch
https://git.kernel.org/stable/c/c4d80e41cb42008dceb35e5dbf52574d93beac0d Patch
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-37810, you might also want to check these: