Low

Linux kernel USB gadget f_eem eem_unwrap memory leak

IdentifiersCVE-2025-68289CWE-401

CVE-2025-68289 is a memory management flaw in the Linux kernel USB gadget EEM component, specifically in the f_eem driver’s eem_unwrap function. The vulnerable code did not correctly handle the failure case of usb_ep_queue in the command path. When usb_ep_queue failed, previously allocated objects were not freed, resulting in leaked kernel memory. The upstream fix adds error handling to release all allocated resources on usb_ep_queue failure. Reported kmemleak traces show unreferenced allocations originating from skb_clone, usb_ep_alloc_request, and kmalloc paths within eem_unwrap.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering of the flaw can cause repeated kernel memory leaks, degrading system stability and exhausting available memory over time. Based on the provided CVSS context, the primary impact is availability, with no stated confidentiality or integrity impact. In practice, an attacker able to reach the vulnerable path could induce denial-of-service conditions through resource exhaustion.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling or avoiding use of the USB gadget EEM function/driver where operationally feasible, especially on systems that expose USB gadget functionality to local or attached actors. Restrict access to interfaces and privileges required to configure or interact with USB gadget functionality. These measures may reduce exploitability but do not replace patching.

Remediation

Patch, then assume compromise.

Apply a Linux kernel update that includes the upstream fix for CVE-2025-68289 in the USB gadget f_eem eem_unwrap error-handling path. The fix ensures all allocated resources are freed when usb_ep_queue fails. Vendor-provided fixed packages are available in multiple SUSE advisories; use the kernel version appropriate for the affected distribution and service pack.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

4 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3