Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-39824

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
16/09/2025
Last modified:
16/01/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: asus: fix UAF via HID_CLAIMED_INPUT validation<br /> <br /> After hid_hw_start() is called hidinput_connect() will eventually be<br /> called to set up the device with the input layer since the<br /> HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect()<br /> all input and output reports are processed and corresponding hid_inputs<br /> are allocated and configured via hidinput_configure_usages(). This<br /> process involves slot tagging report fields and configuring usages<br /> by setting relevant bits in the capability bitmaps. However it is possible<br /> that the capability bitmaps are not set at all leading to the subsequent<br /> hidinput_has_been_populated() check to fail leading to the freeing of the<br /> hid_input and the underlying input device.<br /> <br /> This becomes problematic because a malicious HID device like a<br /> ASUS ROG N-Key keyboard can trigger the above scenario via a<br /> specially crafted descriptor which then leads to a user-after-free<br /> when the name of the freed input device is written to later on after<br /> hid_hw_start(). Below, report 93 intentionally utilises the<br /> HID_UP_UNDEFINED Usage Page which is skipped during usage<br /> configuration, leading to the frees.<br /> <br /> 0x05, 0x0D, // Usage Page (Digitizer)<br /> 0x09, 0x05, // Usage (Touch Pad)<br /> 0xA1, 0x01, // Collection (Application)<br /> 0x85, 0x0D, // Report ID (13)<br /> 0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00)<br /> 0x09, 0xC5, // Usage (0xC5)<br /> 0x15, 0x00, // Logical Minimum (0)<br /> 0x26, 0xFF, 0x00, // Logical Maximum (255)<br /> 0x75, 0x08, // Report Size (8)<br /> 0x95, 0x04, // Report Count (4)<br /> 0xB1, 0x02, // Feature (Data,Var,Abs)<br /> 0x85, 0x5D, // Report ID (93)<br /> 0x06, 0x00, 0x00, // Usage Page (Undefined)<br /> 0x09, 0x01, // Usage (0x01)<br /> 0x15, 0x00, // Logical Minimum (0)<br /> 0x26, 0xFF, 0x00, // Logical Maximum (255)<br /> 0x75, 0x08, // Report Size (8)<br /> 0x95, 0x1B, // Report Count (27)<br /> 0x81, 0x02, // Input (Data,Var,Abs)<br /> 0xC0, // End Collection<br /> <br /> Below is the KASAN splat after triggering the UAF:<br /> <br /> [ 21.672709] ==================================================================<br /> [ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80<br /> [ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54<br /> [ 21.673700]<br /> [ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary)<br /> [ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br /> [ 21.673700] Call Trace:<br /> [ 21.673700] <br /> [ 21.673700] dump_stack_lvl+0x5f/0x80<br /> [ 21.673700] print_report+0xd1/0x660<br /> [ 21.673700] kasan_report+0xe5/0x120<br /> [ 21.673700] __asan_report_store8_noabort+0x1b/0x30<br /> [ 21.673700] asus_probe+0xeeb/0xf80<br /> [ 21.673700] hid_device_probe+0x2ee/0x700<br /> [ 21.673700] really_probe+0x1c6/0x6b0<br /> [ 21.673700] __driver_probe_device+0x24f/0x310<br /> [ 21.673700] driver_probe_device+0x4e/0x220<br /> [...]<br /> [ 21.673700]<br /> [ 21.673700] Allocated by task 54:<br /> [ 21.673700] kasan_save_stack+0x3d/0x60<br /> [ 21.673700] kasan_save_track+0x18/0x40<br /> [ 21.673700] kasan_save_alloc_info+0x3b/0x50<br /> [ 21.673700] __kasan_kmalloc+0x9c/0xa0<br /> [ 21.673700] __kmalloc_cache_noprof+0x139/0x340<br /> [ 21.673700] input_allocate_device+0x44/0x370<br /> [ 21.673700] hidinput_connect+0xcb6/0x2630<br /> [ 21.673700] hid_connect+0xf74/0x1d60<br /> [ 21.673700] hid_hw_start+0x8c/0x110<br /> [ 21.673700] asus_probe+0x5a3/0xf80<br /> [ 21.673700] hid_device_probe+0x2ee/0x700<br /> [ 21.673700] really_probe+0x1c6/0x6b0<br /> [ 21.673700] __driver_probe_device+0x24f/0x310<br /> [ 21.673700] driver_probe_device+0x4e/0x220<br /> [...]<br /> [ 21.673700]<br /> [ 21.673700] Freed by task 54:<br /> [ 21.673700] kasan_save_stack+0x3d/0x60<br /> [ 21.673700] kasan_save_track+0x18/0x40<br /> [ 21.673700] kasan_save_free_info+0x3f/0x60<br /> [ 21.673700] __kasan_slab_free+0x3c/0x50<br /> [ 21.673700] kfre<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.10 (including) 5.4.298 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.242 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.191 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.150 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.104 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.45 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.16.5 (excluding)
cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools