CVE-2025-68773 (GCVE-0-2025-68773)

Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-13 15:28
VLAI?
Title
spi: fsl-cpm: Check length parity before switching to 16 bit mode
Summary
In the Linux kernel, the following vulnerability has been resolved: spi: fsl-cpm: Check length parity before switching to 16 bit mode Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") failed to make sure that the size is really even before switching to 16 bit mode. Until recently the problem went unnoticed because kernfs uses a pre-allocated bounce buffer of size PAGE_SIZE for reading EEPROM. But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") introduced an additional dynamically allocated bounce buffer whose size is exactly the size of the transfer, leading to a buffer overrun in the fsl-cpm driver when that size is odd. Add the missing length parity verification and remain in 8 bit mode when the length is not even.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 7f6738e003b364783f3019fdf6e7645bc8dd1643 , < 837a23a11e0f734f096c7c7b0778d0e625e3dc87 (git)
Affected: fc96ec826bced75cc6b9c07a4ac44bbf651337ab , < 3dd6d01384823e1bd8602873153d6fc4337ac4fe (git)
Affected: fc96ec826bced75cc6b9c07a4ac44bbf651337ab , < 743cebcbd1b2609ec5057ab474979cef73d1b681 (git)
Affected: fc96ec826bced75cc6b9c07a4ac44bbf651337ab , < be0b613198e6bfa104ad520397cab82ad3ec1771 (git)
Affected: fc96ec826bced75cc6b9c07a4ac44bbf651337ab , < 1417927df8049a0194933861e9b098669a95c762 (git)
Affected: 42c04316d9275ec267d36e5e9064cd56c9884148 (git)
Affected: dc120f2d35b030390a2bc0f94dd5f37e900cae91 (git)
Affected: b558275c1b040f0e5aa56c862241f9212b6118c3 (git)
Affected: 60afe299bb541a928ba39bcb4ae8d3e428d1c5a5 (git)
Affected: 4badd33929c05ed314794b95f1af1308f7222be8 (git)
Affected: b9d9e8856f1c83e4277403f9b4c369b322ebcb12 (git)
Affected: 36a6d0f66c874666caf4e8be155b1be30f6231be (git)
Create a notification for this product.
    Linux Linux Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.18.3 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc2 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-fsl-spi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "837a23a11e0f734f096c7c7b0778d0e625e3dc87",
              "status": "affected",
              "version": "7f6738e003b364783f3019fdf6e7645bc8dd1643",
              "versionType": "git"
            },
            {
              "lessThan": "3dd6d01384823e1bd8602873153d6fc4337ac4fe",
              "status": "affected",
              "version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
              "versionType": "git"
            },
            {
              "lessThan": "743cebcbd1b2609ec5057ab474979cef73d1b681",
              "status": "affected",
              "version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
              "versionType": "git"
            },
            {
              "lessThan": "be0b613198e6bfa104ad520397cab82ad3ec1771",
              "status": "affected",
              "version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
              "versionType": "git"
            },
            {
              "lessThan": "1417927df8049a0194933861e9b098669a95c762",
              "status": "affected",
              "version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "42c04316d9275ec267d36e5e9064cd56c9884148",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "dc120f2d35b030390a2bc0f94dd5f37e900cae91",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b558275c1b040f0e5aa56c862241f9212b6118c3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "60afe299bb541a928ba39bcb4ae8d3e428d1c5a5",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4badd33929c05ed314794b95f1af1308f7222be8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b9d9e8856f1c83e4277403f9b4c369b322ebcb12",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "36a6d0f66c874666caf4e8be155b1be30f6231be",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-fsl-spi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "6.1.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.3",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc2",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.316",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.284",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.244",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.181",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.114",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.2.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.3.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fsl-cpm: Check length parity before switching to 16 bit mode\n\nCommit fc96ec826bce (\"spi: fsl-cpm: Use 16 bit mode for large transfers\nwith even size\") failed to make sure that the size is really even\nbefore switching to 16 bit mode. Until recently the problem went\nunnoticed because kernfs uses a pre-allocated bounce buffer of size\nPAGE_SIZE for reading EEPROM.\n\nBut commit 8ad6249c51d0 (\"eeprom: at25: convert to spi-mem API\")\nintroduced an additional dynamically allocated bounce buffer whose size\nis exactly the size of the transfer, leading to a buffer overrun in\nthe fsl-cpm driver when that size is odd.\n\nAdd the missing length parity verification and remain in 8 bit mode\nwhen the length is not even."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-13T15:28:50.686Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/837a23a11e0f734f096c7c7b0778d0e625e3dc87"
        },
        {
          "url": "https://git.kernel.org/stable/c/3dd6d01384823e1bd8602873153d6fc4337ac4fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/743cebcbd1b2609ec5057ab474979cef73d1b681"
        },
        {
          "url": "https://git.kernel.org/stable/c/be0b613198e6bfa104ad520397cab82ad3ec1771"
        },
        {
          "url": "https://git.kernel.org/stable/c/1417927df8049a0194933861e9b098669a95c762"
        }
      ],
      "title": "spi: fsl-cpm: Check length parity before switching to 16 bit mode",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68773",
    "datePublished": "2026-01-13T15:28:50.686Z",
    "dateReserved": "2025-12-24T10:30:51.035Z",
    "dateUpdated": "2026-01-13T15:28:50.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68773\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-13T16:15:56.840\",\"lastModified\":\"2026-01-13T16:15:56.840\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspi: fsl-cpm: Check length parity before switching to 16 bit mode\\n\\nCommit fc96ec826bce (\\\"spi: fsl-cpm: Use 16 bit mode for large transfers\\nwith even size\\\") failed to make sure that the size is really even\\nbefore switching to 16 bit mode. Until recently the problem went\\nunnoticed because kernfs uses a pre-allocated bounce buffer of size\\nPAGE_SIZE for reading EEPROM.\\n\\nBut commit 8ad6249c51d0 (\\\"eeprom: at25: convert to spi-mem API\\\")\\nintroduced an additional dynamically allocated bounce buffer whose size\\nis exactly the size of the transfer, leading to a buffer overrun in\\nthe fsl-cpm driver when that size is odd.\\n\\nAdd the missing length parity verification and remain in 8 bit mode\\nwhen the length is not even.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1417927df8049a0194933861e9b098669a95c762\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3dd6d01384823e1bd8602873153d6fc4337ac4fe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/743cebcbd1b2609ec5057ab474979cef73d1b681\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/837a23a11e0f734f096c7c7b0778d0e625e3dc87\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/be0b613198e6bfa104ad520397cab82ad3ec1771\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.