CVE-2025-38558
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's USB gadget UVC driver causes kernel crashes when userspace configures frame-based video formats without explicitly defining color matching descriptors. This affects systems using USB gadget functionality with UVC video streaming, particularly embedded devices and Android systems. The vulnerability leads to denial of service through kernel panics.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, requiring physical or remote reboot to restore functionality.
Likely Case
System instability or crash when configuring USB gadget UVC video streaming with frame-based formats, disrupting USB video functionality.
If Mitigated
No impact if USB gadget UVC functionality is not used or if proper kernel patches are applied.
🎯 Exploit Status
Requires local access to configure USB gadget via configfs. Crash is triggered during legitimate configuration operations rather than malicious payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in stable kernel commits: 323a80a1a5ace319a722909c006d5bdb2a35d273, 6db61c1aa23075eeee90e083ca3f6567a5635da6, 7f8576fc9d1a203d12474bf52710c7af68cae490
Vendor Advisory: https://git.kernel.org/stable/c/323a80a1a5ace319a722909c006d5bdb2a35d273
Restart Required: No
Instructions:
1. Update to patched kernel version from your distribution vendor. 2. For custom kernels, apply the fix commits to your kernel source. 3. Recompile and deploy the updated kernel.
🔧 Temporary Workarounds
Disable USB gadget UVC functionality
allPrevent the vulnerable code path by disabling USB gadget UVC support in kernel configuration
echo "blacklist uvc" >> /etc/modprobe.d/blacklist.conf
rmmod uvc
Avoid frame-based format configuration
allConfigure USB gadget UVC with only uncompressed or MJPEG formats which have proper color matching initialization
🧯 If You Can't Patch
- Restrict configfs access to trusted users only
- Monitor kernel logs for UVC configuration attempts and crashes
🔍 How to Verify
Check if Vulnerable:
Check if kernel is vulnerable by examining kernel version and checking if USB gadget UVC module is loaded: lsmod | grep uvcCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits or test UVC gadget configuration with frame-based formats without crash📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning NULL pointer dereference at uvcg_framebased_make or __uvcg_fill_strm
- USB gadget configuration errors in system logs
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("NULL pointer dereference" AND "uvc" OR "uvcg_framebased_make")