-
CVE-2025-39806
- EPSS 0.03%
- Published 16.09.2025 13:00:09
- Last modified 18.09.2025 13:43:45
- Source 416baaa9-dc9f-4396-8d5f-8c081f
- Teams watchlist Login
- Open Login
In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bug by ensuring the descriptor size is at least 608 bytes before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3 [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04 [ 13.673297] Call Trace: [ 13.673297] <TASK> [ 13.673297] dump_stack_lvl+0x5f/0x80 [ 13.673297] print_report+0xd1/0x660 [ 13.673297] kasan_report+0xe5/0x120 [ 13.673297] __asan_report_load1_noabort+0x18/0x20 [ 13.673297] mt_report_fixup+0x103/0x110 [ 13.673297] hid_open_report+0x1ef/0x810 [ 13.673297] mt_probe+0x422/0x960 [ 13.673297] hid_device_probe+0x2e2/0x6f0 [ 13.673297] really_probe+0x1c6/0x6b0 [ 13.673297] __driver_probe_device+0x24f/0x310 [ 13.673297] driver_probe_device+0x4e/0x220 [ 13.673297] __device_attach_driver+0x169/0x320 [ 13.673297] bus_for_each_drv+0x11d/0x1b0 [ 13.673297] __device_attach+0x1b8/0x3e0 [ 13.673297] device_initial_probe+0x12/0x20 [ 13.673297] bus_probe_device+0x13d/0x180 [ 13.673297] device_add+0xe3a/0x1670 [ 13.673297] hid_add_device+0x31d/0xa40 [...]
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorLinux
≫
Product
Linux
Default Statusunaffected
Version <
4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d
Version
7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0
Status
affected
Version <
7ab7311c43ae19c66c53ccd8c5052a9072a4e338
Version
45ec9f17ce46417fc4eccecf388c99e81fb7fcc1
Status
affected
Version <
d4e6e2680807671e1c73cd6a986b33659ce92f2b
Version
1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b
Status
affected
Version <
3055309821dd3da92888f88bad10f0324c3c89fe
Version
c8000deb68365b461b324d68c7ea89d730f0bb85
Status
affected
Version <
c13e95587583d018cfbcc277df7e02d41902ac5a
Version
c8000deb68365b461b324d68c7ea89d730f0bb85
Status
affected
Version <
0379eb8691b9c4477da0277ae0832036ca4410b4
Version
c8000deb68365b461b324d68c7ea89d730f0bb85
Status
affected
Version
d189e24a42b8bd0ece3d28801d751bf66dba8e92
Status
affected
VendorLinux
≫
Product
Linux
Default Statusaffected
Version
6.11
Status
affected
Version <
6.11
Version
0
Status
unaffected
Version <=
5.15.*
Version
5.15.191
Status
unaffected
Version <=
6.1.*
Version
6.1.150
Status
unaffected
Version <=
6.6.*
Version
6.6.104
Status
unaffected
Version <=
6.12.*
Version
6.12.45
Status
unaffected
Version <=
6.16.*
Version
6.16.5
Status
unaffected
Version <=
*
Version
6.17-rc4
Status
unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.078 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|