CVE-2025-39806 in Linuxinfo

Summary

by MITRE • 09/16/2025

In the Linux kernel, the following vulnerability has been resolved:

HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()

A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bug by ensuring the descriptor size is at least 608 bytes before accessing it.

Below is the KASAN splat after the out of bounds access happens:

[ 13.671954] ==================================================================
[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110
[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10
[ 13.673297]
[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3
[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04
[ 13.673297] Call Trace:
[ 13.673297] <TASK>
[ 13.673297] dump_stack_lvl+0x5f/0x80
[ 13.673297] print_report+0xd1/0x660
[ 13.673297] kasan_report+0xe5/0x120
[ 13.673297] __asan_report_load1_noabort+0x18/0x20
[ 13.673297] mt_report_fixup+0x103/0x110
[ 13.673297] hid_open_report+0x1ef/0x810
[ 13.673297] mt_probe+0x422/0x960
[ 13.673297] hid_device_probe+0x2e2/0x6f0
[ 13.673297] really_probe+0x1c6/0x6b0
[ 13.673297] __driver_probe_device+0x24f/0x310
[ 13.673297] driver_probe_device+0x4e/0x220
[ 13.673297] __device_attach_driver+0x169/0x320
[ 13.673297] bus_for_each_drv+0x11d/0x1b0
[ 13.673297] __device_attach+0x1b8/0x3e0
[ 13.673297] device_initial_probe+0x12/0x20
[ 13.673297] bus_probe_device+0x13d/0x180
[ 13.673297] device_add+0xe3a/0x1670
[ 13.673297] hid_add_device+0x31d/0xa40
[...]

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/24/2026

The vulnerability identified as CVE-2025-39806 resides within the Linux kernel's HID (Human Interface Device) subsystem, specifically in the multitouch handling code. This flaw manifests as a slab out-of-bounds access during the execution of the mt_report_fixup() function, which is responsible for processing HID report descriptors. The vulnerability arises from insufficient bounds checking when handling malformed HID device reports, creating a potential pathway for privilege escalation or system instability. The issue is particularly concerning as it can be triggered by a malicious HID device presenting a report descriptor smaller than the expected 607 bytes, allowing an attacker to manipulate memory access patterns.

The technical root cause of this vulnerability aligns with CWE-129, which describes improper validation of array indices, and more specifically relates to CWE-787, which addresses out-of-bounds write operations. The mt_report_fixup() function attempts to patch byte offset 607 of the HID report descriptor with the value 0x25, but it first checks if byte offset 607 contains 0x15 without verifying that the descriptor is large enough to accommodate such an access. This lack of bounds validation creates a race condition where the kernel reads beyond the allocated memory boundaries of the slab allocator, potentially leading to memory corruption. The KASAN (Kernel Address Sanitizer) output confirms the out-of-bounds read of size 1 at address ff888103df39df, which corresponds to an attempt to access memory beyond the valid descriptor length.

The operational impact of this vulnerability extends beyond simple memory corruption, as it can be exploited by attackers to gain unauthorized access to system resources or cause denial of service conditions. When a malicious HID device connects to a vulnerable system, it can trigger the kernel's HID subsystem to process the malformed descriptor, leading to a kernel panic or privilege escalation depending on the execution context. This vulnerability particularly affects systems that support HID multitouch devices such as touchscreens, drawing tablets, and other multi-touch input peripherals. The exploitation pathway follows ATT&CK technique T1068, which involves local privilege escalation through kernel vulnerabilities, and T1547.001, which covers registry run keys and startup folder modifications that could be leveraged to maintain access post-exploitation.

Mitigation strategies for CVE-2025-39806 should focus on implementing robust input validation within the HID subsystem. The fix implemented in the kernel ensures that the descriptor size is validated before attempting any memory access operations, requiring a minimum descriptor size of 608 bytes to prevent the out-of-bounds access. System administrators should prioritize applying the patched kernel version as soon as possible, particularly in environments where untrusted HID devices might be connected. Additional protective measures include implementing device whitelisting policies, disabling unnecessary HID drivers, and monitoring for anomalous HID device behavior through system logs. Organizations should also consider deploying kernel hardening techniques such as KASAN, KPTI, and SMEP to reduce the attack surface and limit the potential impact of similar vulnerabilities. The vulnerability underscores the importance of comprehensive bounds checking in kernel space code and demonstrates how seemingly minor validation gaps can lead to critical security issues.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00150

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!