CVE-2025-38557

EPSS 0.03%
Published 19.08.2025 17:15:31
Last modified 20.08.2025 14:40:17
Source 416baaa9-dc9f-4396-8d5f-8c081f
Teams watchlist Login
Open Login

In the Linux kernel, the following vulnerability has been resolved:

HID: apple: validate feature-report field count to prevent NULL pointer dereference

A malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL
pointer dereference whilst the power feature-report is toggled and sent to
the device in apple_magic_backlight_report_set(). The power feature-report
is expected to have two data fields, but if the descriptor declares one
field then accessing field[1] and dereferencing it in
apple_magic_backlight_report_set() becomes invalid
since field[1] will be NULL.

An example of a minimal descriptor which can cause the crash is something
like the following where the report with ID 3 (power report) only
references a single 1-byte field. When hid core parses the descriptor it
will encounter the final feature tag, allocate a hid_report (all members
of field[] will be zeroed out), create field structure and populate it,
increasing the maxfield to 1. The subsequent field[1] access and
dereference causes the crash.

  Usage Page (Vendor Defined 0xFF00)
  Usage (0x0F)
  Collection (Application)
    Report ID (1)
    Usage (0x01)
    Logical Minimum (0)
    Logical Maximum (255)
    Report Size (8)
    Report Count (1)
    Feature (Data,Var,Abs)

    Usage (0x02)
    Logical Maximum (32767)
    Report Size (16)
    Report Count (1)
    Feature (Data,Var,Abs)

    Report ID (3)
    Usage (0x03)
    Logical Minimum (0)
    Logical Maximum (1)
    Report Size (8)
    Report Count (1)
    Feature (Data,Var,Abs)
  End Collection

Here we see the KASAN splat when the kernel dereferences the
NULL pointer and crashes:

  [   15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI
  [   15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
  [   15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary)
  [   15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
  [   15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210
  [   15.165691] Call Trace:
  [   15.165691]  <TASK>
  [   15.165691]  apple_probe+0x571/0xa20
  [   15.165691]  hid_device_probe+0x2e2/0x6f0
  [   15.165691]  really_probe+0x1ca/0x5c0
  [   15.165691]  __driver_probe_device+0x24f/0x310
  [   15.165691]  driver_probe_device+0x4a/0xd0
  [   15.165691]  __device_attach_driver+0x169/0x220
  [   15.165691]  bus_for_each_drv+0x118/0x1b0
  [   15.165691]  __device_attach+0x1d5/0x380
  [   15.165691]  device_initial_probe+0x12/0x20
  [   15.165691]  bus_probe_device+0x13d/0x180
  [   15.165691]  device_add+0xd87/0x1510
  [...]

To fix this issue we should validate the number of fields that the
backlight and power reports have and if they do not have the required
number of fields then bail.

Affected products Warnungen 0 Metrics 1 CWE 0 References 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorLinux

≫

Product Linux

Default Statusunaffected

Version < ba08cc6801ec5fb98f2d02b5f0c614c931845325

Version 394ba612f9419ec5bfebbffb72212fd3b2094986

Status affected

Version < 7e15d1eaa88179c5185e57a38ab05fe852d0cb8d

Version 394ba612f9419ec5bfebbffb72212fd3b2094986

Status affected

Version < 00896c3f41cb6b74fec853386076115ba50baf0a

Version 394ba612f9419ec5bfebbffb72212fd3b2094986

Status affected

Version < 1bb3363da862e0464ec050eea2fb5472a36ad86b

Version 394ba612f9419ec5bfebbffb72212fd3b2094986

Status affected

VendorLinux

≫

Product Linux

Default Statusaffected

Version 6.11

Status affected

Version < 6.11

Version 0

Status unaffected

Version <= 6.12.*

Version 6.12.42

Status unaffected

Version <= 6.15.*

Version 6.15.10

Status unaffected

Version <= 6.16.*

Version 6.16.1

Status unaffected

Version <= *

Version 6.17-rc1

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.055

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string

https://git.kernel.org/stable/c/00896c3f41cb6b74fec853386076115ba50baf0a

https://git.kernel.org/stable/c/1bb3363da862e0464ec050eea2fb5472a36ad86b

https://git.kernel.org/stable/c/7e15d1eaa88179c5185e57a38ab05fe852d0cb8d

https://git.kernel.org/stable/c/ba08cc6801ec5fb98f2d02b5f0c614c931845325

https://nvd.nist.gov/vuln/detail/CVE-2025-38557

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-38557

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-38557

EUVD