cbcvebase.
CVE-2025-39806
published 2025-09-16

CVE-2025-39806: In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device…

high7.1CVSS 3.1
AVLACLPRLUINSUCHINAH
In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bug by ensuring the descriptor size is at least 608 bytes before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3 [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04 [ 13.673297] Call Trace: [ 13.673297] [ 13.673297] dump_stack_lvl+0x5f/0x80 [ 13.673297] print_report+0xd1/0x660 [ 13.673297] kasan_report+0xe5/0x120 [ 13.673297] __asan_report_load1_noabort+0x18/0x20 [ 13.673297] mt_report_fixup+0x103/0x110 [ 13.673297] hid_open_report+0x1ef/0x810 [ 13.673297] mt_probe+0x422/0x960 [ 13.673297] hid_device_probe+0x2e2/0x6f0 [ 13.673297] really_probe+0x1c6/0x6b0 [ 13.673297] __driver_probe_device+0x24f/0x310 [ 13.673297] driver_probe_device+0x4e/0x220 [ 13.673297] __device_attach_driver+0x169/0x320 [ 13.673297] bus_for_each_drv+0x11d/0x1b0 [ 13.673297] __device_attach+0x1b8/0x3e0 [ 13.673297] device_initial_probe+0x12/0x20 [ 13.673297] bus_probe_device+0x13d/0x180 [ 13.673297] device_add+0xe3a/0x1670 [ 13.673297] hid_add_device+0x31d/0xa40 [...]

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debianlinux< linux 6.1.153-1 (bookworm)linux 6.1.153-1 (bookworm)
debianlinux-6.1< linux 6.1.153-1 (bookworm)linux 6.1.153-1 (bookworm)
linuxlinux
linuxlinux
linuxlinux>= 1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b < d4e6e2680807671e1c73cd6a986b33659ce92f2bd4e6e2680807671e1c73cd6a986b33659ce92f2b
linuxlinux>= 45ec9f17ce46417fc4eccecf388c99e81fb7fcc1 < 7ab7311c43ae19c66c53ccd8c5052a9072a4e3387ab7311c43ae19c66c53ccd8c5052a9072a4e338
linuxlinux>= 5.15.168 < 5.15.1915.15.191
linuxlinux>= 6.1.111 < 6.1.1506.1.150
linuxlinux>= 6.10.11 < 6.116.11
linuxlinux>= 6.6.52 < 6.6.1046.6.104
linuxlinux>= 7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0 < 4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d
linuxlinux>= c8000deb68365b461b324d68c7ea89d730f0bb85 < 3055309821dd3da92888f88bad10f0324c3c89fe3055309821dd3da92888f88bad10f0324c3c89fe
linuxlinux>= c8000deb68365b461b324d68c7ea89d730f0bb85 < c13e95587583d018cfbcc277df7e02d41902ac5ac13e95587583d018cfbcc277df7e02d41902ac5a
linuxlinux>= c8000deb68365b461b324d68c7ea89d730f0bb85 < 0379eb8691b9c4477da0277ae0832036ca4410b40379eb8691b9c4477da0277ae0832036ca4410b4
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel>= 0 < 6.1.153-16.1.153-1
linuxlinux_kernel>= 0 < 6.12.48-16.12.48-1
linuxlinux_kernel>= 0 < 6.16.5-16.16.5-1
linuxlinux_kernel>= 0 < 5.15.0-163.1735.15.0-163.173
linuxlinux_kernel>= 0 < 6.8.0-106.1066.8.0-106.106
linuxlinux_kernel>= 5.15.168 < 5.15.1915.15.191
linuxlinux_kernel>= 6.1.111 < 6.1.1506.1.150
linuxlinux_kernel>= 6.10.11 < 6.116.11

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
osv7.1HIGH