CVE-2025-39952

// CVE-2025-39952 PoC - wilc1000 WID buffer overflow trigger // This PoC demonstrates the vulnerability by sending oversized WID string data // Note: Requires local access and ability to interact with wilc1000 device #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> // Simulated WID configuration structure struct wilc_cfg_str { uint16_t id; uint16_t len; // Buffer size limit (normally 512) char *str; // Target buffer }; // Simulated response frame parsing - vulnerable code path int wilc_wlan_parse_response_frame_vulnerable(struct wilc_cfg_str *cfg, int index) { // Malicious oversized data from firmware (65537 bytes) char malicious_data[65537]; memset(malicious_data, 'A', sizeof(malicious_data)); // cfg->str buffer is only 512 bytes - overflow occurs here // This is the vulnerable memcpy without size check memcpy(cfg->str, malicious_data, sizeof(malicious_data)); return 0; } // Fixed version with proper size check int wilc_wlan_parse_response_frame_fixed(struct wilc_cfg_str *cfg, int index) { char firmware_data[65537]; size_t data_len = sizeof(firmware_data); // Size check before memcpy - this is the fix if (data_len > cfg->len) { printf("Buffer overflow prevented: data size %zu > buffer size %d\n", data_len, cfg->len); return -1; // Reject oversized data } memcpy(cfg->str, firmware_data, data_len); return 0; } int main() { struct wilc_cfg_str config; char buffer[512]; config.id = 0x0001; // WID_STRING type config.len = 512; config.str = buffer; printf("Triggering CVE-2025-39952 buffer overflow...\n"); // wilc_wlan_parse_response_frame_vulnerable(&config, 0); // Would crash wilc_wlan_parse_response_frame_fixed(&config, 0); return 0; }

{"cve": {"id": "CVE-2025-39952", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T08:15:48.507", "lastModified": "2026-01-23T20:02:35.517", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: avoid buffer overflow in WID string configuration\n\nFix the following copy overflow warning identified by Smatch checker.\n\n drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame()\n error: '__memcpy()' 'cfg->s[i]->str' copy overflow (512 vs 65537)\n\nThis patch introduces size check before accessing the memory buffer.\nThe checks are base on the WID type of received data from the firmware.\nFor WID string configuration, the size limit is determined by individual\nelement size in 'struct wilc_cfg_str_vals' that is maintained in 'len' field\nof 'struct wilc_cfg_str'."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "6.6.108", "matchCriteriaId": "3EE77707-D5B2-456E-8858-EAB202875043"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.49", "matchCriteriaId": "CAA033E9-A2C5-4976-A83E-9804D8FB827F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.16.9", "matchCriteriaId": "638DD910-1189-4F5E-98BF-2D436B695112"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "39982C4B-716E-4B2F-8196-FA301F47807D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*", "matchCriteriaId": "340BEEA9-D70D-4290-B502-FBB1032353B1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2203ef417044b10a8563ade6a17c74183745d72e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6085291a1a5865d4ad70f0e5812d524ebd5d1711", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ae50f8562306a7ea1cf3c9722f97ee244f974729", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fe9e4d0c39311d0f97b024147a0d155333f388b5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}