Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-38394

Severity CVSS v4.0:
Pending analysis
Type:
CWE-787 Out-of-bounds Write
Publication date:
25/07/2025
Last modified:
19/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: appletb-kbd: fix memory corruption of input_handler_list<br /> <br /> In appletb_kbd_probe an input handler is initialised and then registered<br /> with input core through input_register_handler(). When this happens input<br /> core will add the input handler (specifically its node) to the global<br /> input_handler_list. The input_handler_list is central to the functionality<br /> of input core and is traversed in various places in input core. An example<br /> of this is when a new input device is plugged in and gets registered with<br /> input core.<br /> <br /> The input_handler in probe is allocated as device managed memory. If a<br /> probe failure occurs after input_register_handler() the input_handler<br /> memory is freed, yet it will remain in the input_handler_list. This<br /> effectively means the input_handler_list contains a dangling pointer<br /> to data belonging to a freed input handler.<br /> <br /> This causes an issue when any other input device is plugged in - in my<br /> case I had an old PixArt HP USB optical mouse and I decided to<br /> plug it in after a failure occurred after input_register_handler().<br /> This lead to the registration of this input device via<br /> input_register_device which involves traversing over every handler<br /> in the corrupted input_handler_list and calling input_attach_handler(),<br /> giving each handler a chance to bind to newly registered device.<br /> <br /> The core of this bug is a UAF which causes memory corruption of<br /> input_handler_list and to fix it we must ensure the input handler is<br /> unregistered from input core, this is done through<br /> input_unregister_handler().<br /> <br /> [ 63.191597] ==================================================================<br /> [ 63.192094] BUG: KASAN: slab-use-after-free in input_attach_handler.isra.0+0x1a9/0x1e0<br /> [ 63.192094] Read of size 8 at addr ffff888105ea7c80 by task kworker/0:2/54<br /> [ 63.192094]<br /> [ 63.192094] CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.16.0-rc2-00321-g2aa6621d<br /> [ 63.192094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.164<br /> [ 63.192094] Workqueue: usb_hub_wq hub_event<br /> [ 63.192094] Call Trace:<br /> [ 63.192094] <br /> [ 63.192094] dump_stack_lvl+0x53/0x70<br /> [ 63.192094] print_report+0xce/0x670<br /> [ 63.192094] kasan_report+0xce/0x100<br /> [ 63.192094] input_attach_handler.isra.0+0x1a9/0x1e0<br /> [ 63.192094] input_register_device+0x76c/0xd00<br /> [ 63.192094] hidinput_connect+0x686d/0xad60<br /> [ 63.192094] hid_connect+0xf20/0x1b10<br /> [ 63.192094] hid_hw_start+0x83/0x100<br /> [ 63.192094] hid_device_probe+0x2d1/0x680<br /> [ 63.192094] really_probe+0x1c3/0x690<br /> [ 63.192094] __driver_probe_device+0x247/0x300<br /> [ 63.192094] driver_probe_device+0x49/0x210<br /> [ 63.192094] __device_attach_driver+0x160/0x320<br /> [ 63.192094] bus_for_each_drv+0x10f/0x190<br /> [ 63.192094] __device_attach+0x18e/0x370<br /> [ 63.192094] bus_probe_device+0x123/0x170<br /> [ 63.192094] device_add+0xd4d/0x1460<br /> [ 63.192094] hid_add_device+0x30b/0x910<br /> [ 63.192094] usbhid_probe+0x920/0xe00<br /> [ 63.192094] usb_probe_interface+0x363/0x9a0<br /> [ 63.192094] really_probe+0x1c3/0x690<br /> [ 63.192094] __driver_probe_device+0x247/0x300<br /> [ 63.192094] driver_probe_device+0x49/0x210<br /> [ 63.192094] __device_attach_driver+0x160/0x320<br /> [ 63.192094] bus_for_each_drv+0x10f/0x190<br /> [ 63.192094] __device_attach+0x18e/0x370<br /> [ 63.192094] bus_probe_device+0x123/0x170<br /> [ 63.192094] device_add+0xd4d/0x1460<br /> [ 63.192094] usb_set_configuration+0xd14/0x1880<br /> [ 63.192094] usb_generic_driver_probe+0x78/0xb0<br /> [ 63.192094] usb_probe_device+0xaa/0x2e0<br /> [ 63.192094] really_probe+0x1c3/0x690<br /> [ 63.192094] __driver_probe_device+0x247/0x300<br /> [ 63.192094] driver_probe_device+0x49/0x210<br /> [ 63.192094] __device_attach_driver+0x160/0x320<br /> [ 63.192094] bus_for_each_drv+0x10f/0x190<br /> [ 63.192094] __device_attach+0x18e/0x370<br /> [ 63.192094] bus_probe_device+0x123/0x170<br /> [ 63.192094] device_add+0xd4d/0x1460<br /> [ 63.192094] usb_new_device+0x7b4/0x1000<br /> [ 63.192094] hub_event+0x234d/0x3<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.15 (including) 6.15.6 (excluding)
cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools