CVE-2025-68289 - Vulnerability Details

- usb: gadget: f_eem: Fix memory leak in eem_unwrap

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_eem: Fix memory leak in eem_unwrap

The existing code did not handle the failure case of usb_ep_queue in the
command path, potentially leading to memory leaks.

Improve error handling to free all allocated resources on usb_ep_queue
failure. This patch continues to use goto logic for error handling, as the
existing error handling is complex and not easily adaptable to auto-cleanup
helpers.

kmemleak results:
unreferenced object 0xffffff895a512300 (size 240):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
kmem_cache_alloc+0x1b4/0x358
skb_clone+0x90/0xd8
eem_unwrap+0x1cc/0x36c
unreferenced object 0xffffff8a157f4000 (size 256):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
kmalloc_trace+0x48/0x140
dwc3_gadget_ep_alloc_request+0x58/0x11c
usb_ep_alloc_request+0x40/0xe4
eem_unwrap+0x204/0x36c
unreferenced object 0xffffff8aadbaac00 (size 128):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
__kmalloc+0x64/0x1a8
eem_unwrap+0x218/0x36c
unreferenced object 0xffffff89ccef3500 (size 64):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
kmalloc_trace+0x48/0x140
eem_unwrap+0x238/0x36c

Published: 2025-12-16

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`3b545788505b2e2883aff13bdddeacaf88942a4f`	affected	< a9985a88b2fc29fbe1657fe8518908e261d6889c
`4249d6fbc10fd997abdf8a1ea49c0389a0edf706`	affected	< 5a1628283cd9dccf1e44acfb74e77504f4dc7472
`4249d6fbc10fd997abdf8a1ea49c0389a0edf706`	affected	< 0ac07e476944a5e4c2b8b087dd167dec248c1bdf
`4249d6fbc10fd997abdf8a1ea49c0389a0edf706`	affected	< 41434488ca714ab15cb2a4d0378418d1be8052d2
`4249d6fbc10fd997abdf8a1ea49c0389a0edf706`	affected	< e72c963177c708a167a7e17ed6c76320815157cf
`4249d6fbc10fd997abdf8a1ea49c0389a0edf706`	affected	< 0dea2e0069a7e9aa034696f8065945b7be6dd6b7
`4249d6fbc10fd997abdf8a1ea49c0389a0edf706`	affected	< e4f5ce990818d37930cd9fb0be29eee0553c59d9
`d55a236f1bab102e353ea5abb7b7b6ff7e847294`	affected	—
`8e275d3d5915a8f7db3786e3f84534bb48245f4c`	affected	—
`3680a6ff9a9ccd3c664663da04bef2534397d591`	affected	—
`d654be97e1b679616e3337b871a9ec8f31a88841`	affected	—
`8bdef7f21cb6e53c0ce3e1cbcb05975aa0dd0fe9`	affected	—
`77d7f071883cf2921a7547f82e41f15f7f860e35`	affected	—
`a55093941e38113dd6f5f5d5d2705fec3018f332`	affected	—
`5.10.50`	affected	< 5.10.247
`4.4.276`	affected	< 4.5
`4.9.276`	affected	< 4.10
`4.14.240`	affected	< 4.15
`4.19.198`	affected	< 4.20
`5.4.132`	affected	< 5.5
`5.12.17`	affected	< 5.13
`5.13.2`	affected	< 5.14

Linux

affected

Version	Status	Constraints
`5.14`	affected	—
`0`	unaffected	< 5.14
`5.10.247`	unaffected	≤ 5.10.*
`5.15.197`	unaffected	≤ 5.15.*
`6.1.159`	unaffected	≤ 6.1.*
`6.6.119`	unaffected	≤ 6.6.*
`6.12.61`	unaffected	≤ 6.12.*
`6.17.11`	unaffected	≤ 6.17.*
`6.18`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4436-1	linux-6.1 security update
Ubuntu USN	USN-8094-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8095-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8096-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8095-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8096-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8100-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8094-2	Linux kernel vulnerabilities
Ubuntu USN	USN-8095-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8096-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8096-4	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8095-4	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-8096-5	Linux kernel (NVIDIA Tegra IGX) vulnerabilities
Ubuntu USN	USN-8116-1	Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN	USN-8094-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8094-4	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8125-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8126-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8094-5	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8095-5	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8141-1	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8152-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-8163-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8165-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8163-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8243-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8261-1	Linux kernel (Xilinx) vulnerabilities

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0ac07e476944a5e4c2b8b087dd167dec248c1bdf
https://git.kernel.org/stable/c/0dea2e0069a7e9aa034696f8065945b7be6dd6b7
https://git.kernel.org/stable/c/41434488ca714ab15cb2a4d0378418d1be8052d2
https://git.kernel.org/stable/c/5a1628283cd9dccf1e44acfb74e77504f4dc7472
https://git.kernel.org/stable/c/a9985a88b2fc29fbe1657fe8518908e261d6889c
https://git.kernel.org/stable/c/e4f5ce990818d37930cd9fb0be29eee0553c59d9
https://git.kernel.org/stable/c/e72c963177c708a167a7e17ed6c76320815157cf
https://lore.kernel.org/linux-cve-announce/2025121639-CVE-2025-68289-1efe@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-68289
https://www.cve.org/CVERecord?id=CVE-2025-68289

History

Wed, 17 Dec 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025121639-CVE-2025-68289-1efe@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-68289 https://www.cve.org/CVERecord?id=CVE-2025-68289

Tue, 16 Dec 2025 15:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_eem: Fix memory leak in eem_unwrap The existing code did not handle the failure case of usb_ep_queue in the command path, potentially leading to memory leaks. Improve error handling to free all allocated resources on usb_ep_queue failure. This patch continues to use goto logic for error handling, as the existing error handling is complex and not easily adaptable to auto-cleanup helpers. kmemleak results: unreferenced object 0xffffff895a512300 (size 240): backtrace: slab_post_alloc_hook+0xbc/0x3a4 kmem_cache_alloc+0x1b4/0x358 skb_clone+0x90/0xd8 eem_unwrap+0x1cc/0x36c unreferenced object 0xffffff8a157f4000 (size 256): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc kmalloc_trace+0x48/0x140 dwc3_gadget_ep_alloc_request+0x58/0x11c usb_ep_alloc_request+0x40/0xe4 eem_unwrap+0x204/0x36c unreferenced object 0xffffff8aadbaac00 (size 128): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc __kmalloc+0x64/0x1a8 eem_unwrap+0x218/0x36c unreferenced object 0xffffff89ccef3500 (size 64): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc kmalloc_trace+0x48/0x140 eem_unwrap+0x238/0x36c
Title		usb: gadget: f_eem: Fix memory leak in eem_unwrap
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0ac07e476944a5e4c2b8b087dd167dec248c1bdf https://git.kernel.org/stable/c/0dea2e0069a7e9aa034696f8065945b7be6dd6b7 https://git.kernel.org/stable/c/41434488ca714ab15cb2a4d0378418d1be8052d2 https://git.kernel.org/stable/c/5a1628283cd9dccf1e44acfb74e77504f4dc7472 https://git.kernel.org/stable/c/a9985a88b2fc29fbe1657fe8518908e261d6889c https://git.kernel.org/stable/c/e4f5ce990818d37930cd9fb0be29eee0553c59d9 https://git.kernel.org/stable/c/e72c963177c708a167a7e17ed6c76320815157cf

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-12-16T15:06:10.450Z

Updated: 2026-05-23T16:02:32.799Z

Reserved: 2025-12-16T14:48:05.292Z

Link: CVE-2025-68289

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2025-12-16T16:16:07.747

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68289

Redhat

Severity :

Publid Date: 2025-12-16T00:00:00Z

Links: CVE-2025-68289 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object