CVE-2025-39824
published 2025-09-16CVE-2025-39824: In the Linux kernel, the following vulnerability has been resolved: HID: asus: fix UAF via HID_CLAIMED_INPUT validation After hid_hw_start() is called…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
HID: asus: fix UAF via HID_CLAIMED_INPUT validation
After hid_hw_start() is called hidinput_connect() will eventually be
called to set up the device with the input layer since the
HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect()
all input and output reports are processed and corresponding hid_inputs
are allocated and configured via hidinput_configure_usages(). This
process involves slot tagging report fields and configuring usages
by setting relevant bits in the capability bitmaps. However it is possible
that the capability bitmaps are not set at all leading to the subsequent
hidinput_has_been_populated() check to fail leading to the freeing of the
hid_input and the underlying input device.
This becomes problematic because a malicious HID device like a
ASUS ROG N-Key keyboard can trigger the above scenario via a
specially crafted descriptor which then leads to a user-after-free
when the name of the freed input device is written to later on after
hid_hw_start(). Below, report 93 intentionally utilises the
HID_UP_UNDEFINED Usage Page which is skipped during usage
configuration, leading to the frees.
0x05, 0x0D, // Usage Page (Digitizer)
0x09, 0x05, // Usage (Touch Pad)
0xA1, 0x01, // Collection (Application)
0x85, 0x0D, // Report ID (13)
0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00)
0x09, 0xC5, // Usage (0xC5)
0x15, 0x00, // Logical Minimum (0)
0x26, 0xFF, 0x00, // Logical Maximum (255)
0x75, 0x08, // Report Size (8)
0x95, 0x04, // Report Count (4)
0xB1, 0x02, // Feature (Data,Var,Abs)
0x85, 0x5D, // Report ID (93)
0x06, 0x00, 0x00, // Usage Page (Undefined)
0x09, 0x01, // Usage (0x01)
0x15, 0x00, // Logical Minimum (0)
0x26, 0xFF, 0x00, // Logical Maximum (255)
0x75, 0x08, // Report Size (8)
0x95, 0x1B, // Report Count (27)
0x81, 0x02, // Input (Data,Var,Abs)
0xC0, // End Collection
Below is the KASAN splat after triggering the UAF:
[ 21.672709] ====================
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 9ce12d8be12c94334634dd57050444910415e45f < 9a9e4a8317437bf944fa017c66e1e23a0368b5c7 | 9a9e4a8317437bf944fa017c66e1e23a0368b5c7 |
| linux | linux | >= 9ce12d8be12c94334634dd57050444910415e45f < 7170122e2ae4ab378c9cdf7cc54dea8b0abbbca5 | 7170122e2ae4ab378c9cdf7cc54dea8b0abbbca5 |
| linux | linux | >= 9ce12d8be12c94334634dd57050444910415e45f < eaae728e7335b5dbad70966e2bd520a731fdf7b2 | eaae728e7335b5dbad70966e2bd520a731fdf7b2 |
| linux | linux | >= 9ce12d8be12c94334634dd57050444910415e45f < a8ca8fe7f516d27ece3afb995c3bd4d07dcbe62c | a8ca8fe7f516d27ece3afb995c3bd4d07dcbe62c |
| linux | linux | >= 9ce12d8be12c94334634dd57050444910415e45f < 5f3c0839b173f7f33415eb098331879e547d1d2d | 5f3c0839b173f7f33415eb098331879e547d1d2d |
| linux | linux | >= 9ce12d8be12c94334634dd57050444910415e45f < c0d77e3441a92d0b4958193c9ac1c3f81c6f1d1c | c0d77e3441a92d0b4958193c9ac1c3f81c6f1d1c |
| linux | linux | >= 9ce12d8be12c94334634dd57050444910415e45f < 72a4ec018c9e9bc52f4f80eb3afb5d6a6b752275 | 72a4ec018c9e9bc52f4f80eb3afb5d6a6b752275 |
| linux | linux | >= 9ce12d8be12c94334634dd57050444910415e45f < d3af6ca9a8c34bbd8cff32b469b84c9021c9e7e4 | d3af6ca9a8c34bbd8cff32b469b84c9021c9e7e4 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.153-1 | 6.1.153-1 |
| linux | linux_kernel | >= 0 < 6.12.48-1 | 6.12.48-1 |
| linux | linux_kernel | >= 0 < 6.16.5-1 | 6.16.5-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-106.106 | 6.8.0-106.106 |
| linux | linux_kernel | >= 4.10 < 5.4.298 | 5.4.298 |
| linux | linux_kernel | >= 5.11 < 5.15.191 | 5.15.191 |
| linux | linux_kernel | >= 5.16 < 6.1.150 | 6.1.150 |
| linux | linux_kernel | >= 5.5 < 5.10.242 | 5.10.242 |
| linux | linux_kernel | >= 6.13 < 6.16.5 | 6.16.5 |
| linux | linux_kernel | >= 6.2 < 6.6.104 | 6.6.104 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH