Updated: 2026-02-27 03:48:43.910199
Description:
In the Linux kernel, the following vulnerability has been resolved: wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Robert Morris reported: |If a malicious USB device pretends to be an Intersil p54 wifi |interface and generates an eeprom_readback message with a large |eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the |message beyond the end of priv->eeprom. | |static void p54_rx_eeprom_readback(struct p54_common *priv, | struct sk_buff *skb) |{ | struct p54_hdr *hdr = (struct p54_hdr *) skb->data; | struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data; | | if (priv->fw_var >= 0x509) { | memcpy(priv->eeprom, eeprom->v2.data, | le16_to_cpu(eeprom->v2.len)); | } else { | memcpy(priv->eeprom, eeprom->v1.data, | le16_to_cpu(eeprom->v1.len)); | } | [...] The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom(). The device is supposed to provide the same length back to the driver. But yes, it's possible (like shown in the report) to alter the value to something that causes a crash/panic due to overrun. This patch addresses the issue by adding the size to the common device context, so p54_rx_eeprom_readback no longer relies on possibly tampered values... That said, it also checks if the "firmware" altered the value and no longer copies them. The one, small saving grace is: Before the driver tries to read the eeprom, it needs to upload >a< firmware. the vendor firmware has a proprietary license and as a reason, it is not present on most distributions by default.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | HIGH | 7.8 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | kernel | 5.14.0 | 7.8 | HIGH | Not Vulnerable | 2025-12-29 07:27:49 | Not affected. This issue exists only in the Intersil Prism54 “p54” Wi‑Fi driver path (p54_rx_e... | |
| CentOS 6 ELS | kernel | 2.6.32 | 7.8 | HIGH | Not Vulnerable | 2026-01-05 19:53:04 | Not affected: CVE-2025-38348 targets a flaw in the p54 Wi‑Fi driver introduced in Linux v4.5‑rc1... | |
| CentOS 7 ELS | kernel | 3.10.0 | 7.8 | HIGH | Not Vulnerable | 2026-01-05 19:53:02 | Not affected: the overflow exists only in the Intersil Prism54 “p54” Wi‑Fi driver path (p54_rx... | |
| CentOS 8.4 ELS | kernel | 4.18.0 | 7.8 | HIGH | Not Vulnerable | 2025-12-29 07:27:50 | Not affected: this flaw is confined to the Intersil/Prism54 p54 Wi‑Fi driver path (p54_common via ... | |
| CentOS 8.5 ELS | kernel | 4.18.0 | 7.8 | HIGH | Not Vulnerable | 2025-12-29 07:27:50 | Not affected: this flaw is confined to the Intersil/Prism54 p54 Wi‑Fi driver path (p54_common via ... | |
| CentOS Stream 8 ELS | kernel | 4.18.0 | 7.8 | HIGH | Not Vulnerable | 2025-12-29 07:27:47 | Not affected: this flaw is confined to the Intersil/Prism54 p54 Wi‑Fi driver path (p54_common via ... | |
| CloudLinux 7 ELS | kernel | 3.10.0 | 7.8 | HIGH | Not Vulnerable | 2026-02-21 21:52:27 | Not affected: the overflow exists only in the Intersil Prism54 “p54” Wi‑Fi driver path (p54_rx... | |
| Oracle Linux 6 ELS | kernel | 2.6.32 | 7.8 | HIGH | In Progress | 2026-02-27 10:57:26 | ||
| Oracle Linux 7 ELS | kernel | 3.10.0 | 7.8 | HIGH | Not Vulnerable | 2026-02-21 21:52:27 | Not affected: the overflow exists only in the Intersil Prism54 “p54” Wi‑Fi driver path (p54_rx... | |
| Oracle Linux 7 ELS | kernel-uek | 5.4.17 | 7.8 | HIGH | Released | CLSA-2025:1757963029 | 2025-09-16 11:19:40 | Not affected: the overflow exists only in the Intersil Prism54 “p54” Wi‑Fi driver path (p54_rx... |