CVE-2024-57986 in Linuxinfo

Summary

by MITRE • 02/27/2025

In the Linux kernel, the following vulnerability has been resolved:

HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections

A report in 2019 by the syzbot fuzzer was found to be connected to two errors in the HID core associated with Resolution Multipliers. One of the errors was fixed by commit ea427a222d8b ("HID: core: Fix deadloop in hid_apply_multiplier."), but the other has not been fixed.

This error arises because hid_apply_multipler() assumes that every Resolution Multiplier control is contained in a Logical Collection, i.e., there's no way the routine can ever set multiplier_collection to NULL. This is in spite of the fact that the function starts with a big comment saying:

* "The Resolution Multiplier control must be contained in the same * Logical Collection as the control(s) to which it is to be applied. ... * If no Logical Collection is * defined, the Resolution Multiplier is associated with all * controls in the report." * HID Usage Table, v1.12, Section 4.3.1, p30 * * Thus, search from the current collection upwards until we find a * logical collection...

The comment and the code overlook the possibility that none of the collections found may be a Logical Collection.

The fix is to set the multiplier_collection pointer to NULL if the collection found isn't a Logical Collection.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/24/2026

The vulnerability described in CVE-2024-57986 represents a critical flaw in the Linux kernel's Human Interface Device (HID) core subsystem that stems from an incorrect assumption about the logical structure of HID reports. This issue manifests when the hid_apply_multiplier() function processes resolution multipliers, which are essential for properly scaling input device measurements such as mouse movements or joystick positions. The flaw specifically targets how the kernel handles the relationship between resolution multipliers and their associated logical collections, creating a potential pathway for system instability or unexpected behavior during HID device processing.

The technical root cause of this vulnerability lies in the function's assumption that all resolution multiplier controls must reside within logical collections, a premise that contradicts the HID specification and creates a logical error in the kernel's HID processing logic. According to the HID Usage Table specification version 1.12, section 4.3.1, page 30, resolution multipliers should be associated with controls in the same logical collection, but the kernel implementation fails to account for scenarios where no logical collection exists. The syzbot fuzzer identified this issue in 2019, and while one related error was resolved by commit ea427a222d8b, this particular vulnerability persisted due to the flawed assumption that the multiplier_collection pointer would never be NULL.

This vulnerability operates at the intersection of kernel-level device driver processing and hardware abstraction, creating a potential denial of service condition or system instability when processing malformed HID reports. The flaw specifically affects the HID core's ability to properly handle resolution multipliers when devices do not conform to expected logical collection structures, which can occur with certain USB HID devices or when device descriptors are malformed. The error condition arises during the processing phase where the kernel attempts to apply resolution multipliers to input controls, potentially leading to deadlocks or memory access violations that could compromise system stability.

The operational impact of CVE-2024-57986 extends beyond simple device functionality degradation, as it represents a potential attack vector for privilege escalation or system compromise through carefully crafted HID device inputs. This vulnerability aligns with CWE-835, which addresses infinite loops or infinite recursion in software systems, and could be leveraged in conjunction with other HID-related attack patterns documented in the MITRE ATT&CK framework under the T1059 category for system execution and T1068 for exploit development. The fix implemented addresses the core assumption error by properly handling cases where no logical collection is found, setting the multiplier_collection pointer to NULL when appropriate, thereby preventing the kernel from attempting to process invalid collection references. This remediation ensures that the HID core properly adheres to the specification while maintaining backward compatibility with existing legitimate device configurations.

Responsible

Linux

Reservation

02/27/2025

Disclosure

02/27/2025

Moderation

accepted

CPE

ready

EPSS

0.00207

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!