CVE-2025-21794 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()
Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from
hid-thrustmaster driver. This array is passed to usb_check_int_endpoints function from usb.c core driver, which executes a for loop that iterates over the elements of the passed array. Not finding a null element at the end of the array, it tries to read the next, non-existent element, crashing the kernel.
To fix this, a 0 element was added at the end of the array to break the for loop.
[1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/25/2026
The vulnerability identified as CVE-2025-21794 represents a critical stack-based buffer overflow in the Linux kernel's HID subsystem, specifically within the thrustmaster driver component. This issue manifests as a stack-out-of-bounds read condition that occurs during the processing of USB interrupt endpoints, demonstrating a classic example of improper array boundary checking in kernel space code. The flaw exists in the hid-thrustmaster driver where the usb_check_int_endpoints function receives an endpoint address array without proper null termination, leading to memory access violations that can compromise system stability and potentially enable privilege escalation attacks.
The technical implementation of this vulnerability stems from the improper handling of endpoint arrays within the USB communication framework of the Linux kernel. When the usb_check_int_endpoints function processes the ep_addr array, it iterates through the elements using a for loop that assumes the presence of a null terminator to signal the end of valid entries. However, the array passed from the hid-thrustmaster driver lacks this terminating null element, causing the loop to continue reading beyond the allocated memory boundaries. This memory access violation results in a kernel crash, as the system attempts to read from a non-existent memory location that lies beyond the actual array bounds, creating an exploitable condition that can be leveraged for denial-of-service or potentially more severe attacks.
The operational impact of this vulnerability extends beyond simple system instability, as it represents a fundamental flaw in kernel memory management that can be triggered by legitimate USB device enumeration processes. Attackers could potentially exploit this condition by connecting malicious USB devices that trigger the specific code path, leading to kernel panics and system crashes that disrupt normal operations. The vulnerability affects systems running Linux kernels with the affected HID driver components, particularly those that support Thrustmaster gaming devices through USB connections, making it relevant to gaming systems, industrial control environments, and any infrastructure where USB HID devices are prevalent. This type of vulnerability aligns with CWE-129, which describes improper validation of array indices, and demonstrates characteristics consistent with ATT&CK technique T1068, which involves exploiting local privileges to gain system-level access.
The fix implemented for this vulnerability involves adding a null element at the end of the ep_addr array before passing it to the usb_check_int_endpoints function, effectively providing the expected termination marker that the processing loop requires. This approach addresses the root cause by ensuring proper array boundary management and preventing the out-of-bounds memory access that leads to the kernel crash. The solution represents a defensive programming technique that aligns with secure coding practices recommended in both the CWE guidelines and industry best practices for kernel development. The mitigation strategy focuses on maintaining proper array termination and boundary checking, which prevents the loop from accessing memory beyond the intended array limits and eliminates the potential for exploitation. This fix demonstrates the importance of proper array handling in kernel space code and reinforces the need for thorough testing of USB device drivers and kernel subsystems to prevent similar memory corruption vulnerabilities from being introduced in future releases.