CVE-2025-21835: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21835 affects the Linux kernel's USB MIDI gadget driver (f_midi). The vulnerability was discovered on January 30, 2025, and was publicly disclosed on March 7, 2025. The issue involves incorrect handling of MIDI Streaming descriptor lengths in the USB gadget MIDI function driver, specifically when the numbers of input and output ports are not equal (NVD, Debian Tracker).

The vulnerability stems from incorrect settings of bNumEmbMIDIJack and bLength parameters in MIDIStreaming endpoint descriptors. While the MIDI jacks are configured correctly and the MIDIStreaming endpoint descriptors contain correct information, these two specific parameters are set incorrectly. The issue manifests when the numbers of input and output ports differ, causing the host to receive broken descriptors with uninitialized stack memory leaking into the descriptor for whichever value is smaller. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Red Hat XML).

When exploited, this vulnerability can lead to information disclosure through uninitialized stack memory leaking into USB descriptors. The impact is limited to scenarios where the number of input ports differs from the number of output ports in the MIDI device configuration (Kernel Git).

The vulnerability has been fixed in multiple Linux kernel versions. The fix involves correcting the assignment of bLength and bNumEmbMIDIJack parameters in the USB MIDI descriptor configuration. Debian has fixed this in version 6.1.129-1 for bookworm and 6.12.17-1 for sid/trixie releases (Debian Tracker).