Description

In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bug by ensuring the descriptor size is at least 608 bytes before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3 [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04 [ 13.673297] Call Trace: [ 13.673297] <TASK> [ 13.673297] dump_stack_lvl+0x5f/0x80 [ 13.673297] print_report+0xd1/0x660 [ 13.673297] kasan_report+0xe5/0x120 [ 13.673297] __asan_report_load1_noabort+0x18/0x20 [ 13.673297] mt_report_fixup+0x103/0x110 [ 13.673297] hid_open_report+0x1ef/0x810 [ 13.673297] mt_probe+0x422/0x960 [ 13.673297] hid_device_probe+0x2e2/0x6f0 [ 13.673297] really_probe+0x1c6/0x6b0 [ 13.673297] __driver_probe_device+0x24f/0x310 [ 13.673297] driver_probe_device+0x4e/0x220 [ 13.673297] __device_attach_driver+0x169/0x320 [ 13.673297] bus_for_each_drv+0x11d/0x1b0 [ 13.673297] __device_attach+0x1b8/0x3e0 [ 13.673297] device_initial_probe+0x12/0x20 [ 13.673297] bus_probe_device+0x13d/0x180 [ 13.673297] device_add+0xe3a/0x1670 [ 13.673297] hid_add_device+0x31d/0xa40 [...]

INFO

Published Date :

2025-09-16T13:00:09.524Z

Last Modified :

2025-09-16T13:00:09.524Z

Source :

Linux
AFFECTED PRODUCTS

The following products are affected by CVE-2025-39806 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-39806.

URL Resource
https://git.kernel.org/stable/c/0379eb8691b9c4477da0277ae0832036ca4410b4 cve-icon cve-icon
https://git.kernel.org/stable/c/3055309821dd3da92888f88bad10f0324c3c89fe cve-icon cve-icon
https://git.kernel.org/stable/c/4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d cve-icon cve-icon
https://git.kernel.org/stable/c/7ab7311c43ae19c66c53ccd8c5052a9072a4e338 cve-icon cve-icon
https://git.kernel.org/stable/c/c13e95587583d018cfbcc277df7e02d41902ac5a cve-icon cve-icon
https://git.kernel.org/stable/c/d4e6e2680807671e1c73cd6a986b33659ce92f2b cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System