Linux Kernel Out-of-Bounds Read Vulnerability in UVC Video Class Driver

A vulnerability has been identified in the Linux kernel's USB Video Class (UVC) driver, specifically in the function uvc_parse_format(). The issue arises from inadequate buffer length validation, which only ensures a minimum of 3 bytes before accessing the fourth byte. This flaw can lead to a 1-byte out-of-bounds read when the buffer is exactly 3 bytes long. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a 1-byte out-of-bounds read, which can potentially be leveraged for various types of memory corruption attacks.

Reproduction

The vulnerability can be reproduced by sending a USB Video Class format parsing request with a buffer that is exactly 3 bytes long. The UVC driver will incorrectly process this buffer, leading to an out-of-bounds read.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been patched. Instructions for downloading the updated kernel can be found on the official Linux kernel website.