CVE-2025-38394

{"id": "CVE-2025-38394", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-07-25T13:15:28.843", "references": [{"url": "https://git.kernel.org/stable/c/6ad40b07e15c29712d9a4b8096914ccd82e3fc17", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c80f2b047d5cc42fbd2dff9d1942d4ba7545100f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appletb-kbd: fix memory corruption of input_handler_list\n\nIn appletb_kbd_probe an input handler is initialised and then registered\nwith input core through input_register_handler(). When this happens input\ncore will add the input handler (specifically its node) to the global\ninput_handler_list. The input_handler_list is central to the functionality\nof input core and is traversed in various places in input core. An example\nof this is when a new input device is plugged in and gets registered with\ninput core.\n\nThe input_handler in probe is allocated as device managed memory. If a\nprobe failure occurs after input_register_handler() the input_handler\nmemory is freed, yet it will remain in the input_handler_list. This\neffectively means the input_handler_list contains a dangling pointer\nto data belonging to a freed input handler.\n\nThis causes an issue when any other input device is plugged in - in my\ncase I had an old PixArt HP USB optical mouse and I decided to\nplug it in after a failure occurred after input_register_handler().\nThis lead to the registration of this input device via\ninput_register_device which involves traversing over every handler\nin the corrupted input_handler_list and calling input_attach_handler(),\ngiving each handler a chance to bind to newly registered device.\n\nThe core of this bug is a UAF which causes memory corruption of\ninput_handler_list and to fix it we must ensure the input handler is\nunregistered from input core, this is done through\ninput_unregister_handler().\n\n[ 63.191597] ==================================================================\n[ 63.192094] BUG: KASAN: slab-use-after-free in input_attach_handler.isra.0+0x1a9/0x1e0\n[ 63.192094] Read of size 8 at addr ffff888105ea7c80 by task kworker/0:2/54\n[ 63.192094]\n[ 63.192094] CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.16.0-rc2-00321-g2aa6621d\n[ 63.192094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.164\n[ 63.192094] Workqueue: usb_hub_wq hub_event\n[ 63.192094] Call Trace:\n[ 63.192094] <TASK>\n[ 63.192094] dump_stack_lvl+0x53/0x70\n[ 63.192094] print_report+0xce/0x670\n[ 63.192094] kasan_report+0xce/0x100\n[ 63.192094] input_attach_handler.isra.0+0x1a9/0x1e0\n[ 63.192094] input_register_device+0x76c/0xd00\n[ 63.192094] hidinput_connect+0x686d/0xad60\n[ 63.192094] hid_connect+0xf20/0x1b10\n[ 63.192094] hid_hw_start+0x83/0x100\n[ 63.192094] hid_device_probe+0x2d1/0x680\n[ 63.192094] really_probe+0x1c3/0x690\n[ 63.192094] __driver_probe_device+0x247/0x300\n[ 63.192094] driver_probe_device+0x49/0x210\n[ 63.192094] __device_attach_driver+0x160/0x320\n[ 63.192094] bus_for_each_drv+0x10f/0x190\n[ 63.192094] __device_attach+0x18e/0x370\n[ 63.192094] bus_probe_device+0x123/0x170\n[ 63.192094] device_add+0xd4d/0x1460\n[ 63.192094] hid_add_device+0x30b/0x910\n[ 63.192094] usbhid_probe+0x920/0xe00\n[ 63.192094] usb_probe_interface+0x363/0x9a0\n[ 63.192094] really_probe+0x1c3/0x690\n[ 63.192094] __driver_probe_device+0x247/0x300\n[ 63.192094] driver_probe_device+0x49/0x210\n[ 63.192094] __device_attach_driver+0x160/0x320\n[ 63.192094] bus_for_each_drv+0x10f/0x190\n[ 63.192094] __device_attach+0x18e/0x370\n[ 63.192094] bus_probe_device+0x123/0x170\n[ 63.192094] device_add+0xd4d/0x1460\n[ 63.192094] usb_set_configuration+0xd14/0x1880\n[ 63.192094] usb_generic_driver_probe+0x78/0xb0\n[ 63.192094] usb_probe_device+0xaa/0x2e0\n[ 63.192094] really_probe+0x1c3/0x690\n[ 63.192094] __driver_probe_device+0x247/0x300\n[ 63.192094] driver_probe_device+0x49/0x210\n[ 63.192094] __device_attach_driver+0x160/0x320\n[ 63.192094] bus_for_each_drv+0x10f/0x190\n[ 63.192094] __device_attach+0x18e/0x370\n[ 63.192094] bus_probe_device+0x123/0x170\n[ 63.192094] device_add+0xd4d/0x1460\n[ 63.192094] usb_new_device+0x7b4/0x1000\n[ 63.192094] hub_event+0x234d/0x3\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: appletb-kbd: corrige la corrupci\u00f3n de memoria de input_handler_list En appletb_kbd_probe se inicializa un manejador de entrada y luego se registra con el n\u00facleo de entrada a trav\u00e9s de input_register_handler(). Cuando esto sucede, el n\u00facleo de entrada agregar\u00e1 el manejador de entrada (espec\u00edficamente su nodo) a la input_handler_list global. La input_handler_list es central para la funcionalidad del n\u00facleo de entrada y se recorre en varios lugares del n\u00facleo de entrada. Un ejemplo de esto es cuando se conecta un nuevo dispositivo de entrada y se registra con el n\u00facleo de entrada. El input_handler en la sonda se asigna como memoria administrada por el dispositivo. Si ocurre un fallo de la sonda despu\u00e9s de input_register_handler(), la memoria del input_handler se libera, pero permanecer\u00e1 en la input_handler_list. Esto significa efectivamente que la input_handler_list contiene un puntero colgante a los datos que pertenecen a un manejador de entrada liberado. Esto causa un problema al conectar cualquier otro dispositivo de entrada. En mi caso, ten\u00eda un rat\u00f3n \u00f3ptico USB PixArt HP antiguo y decid\u00ed conectarlo tras un fallo despu\u00e9s de la funci\u00f3n input_register_handler(). Esto provoc\u00f3 el registro de este dispositivo de entrada mediante input_register_device, lo que implica recorrer cada controlador de la lista de controladores de entrada corrupta y llamar a input_attach_handler(), lo que permite a cada controlador vincularse al nuevo dispositivo registrado. El problema principal es un UAF que causa corrupci\u00f3n de memoria en la lista de controladores de entrada. Para solucionarlo, debemos asegurarnos de que el controlador de entrada no est\u00e9 registrado en el n\u00facleo de entrada. Esto se realiza mediante input_unregister_handler(). [ 63.191597] ================================================================== [ 63.192094] BUG: KASAN: slab-use-after-free in input_attach_handler.isra.0+0x1a9/0x1e0 [ 63.192094] Read of size 8 at addr ffff888105ea7c80 by task kworker/0:2/54 [ 63.192094] [ 63.192094] CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.16.0-rc2-00321-g2aa6621d [ 63.192094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.164 [ 63.192094] Workqueue: usb_hub_wq hub_event [ 63.192094] Call Trace: [ 63.192094] [ 63.192094] dump_stack_lvl+0x53/0x70 [ 63.192094] print_report+0xce/0x670 [ 63.192094] kasan_report+0xce/0x100 [ 63.192094] input_attach_handler.isra.0+0x1a9/0x1e0 [ 63.192094] input_register_device+0x76c/0xd00 [ 63.192094] hidinput_connect+0x686d/0xad60 [ 63.192094] hid_connect+0xf20/0x1b10 [ 63.192094] hid_hw_start+0x83/0x100 [ 63.192094] hid_device_probe+0x2d1/0x680 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [ 63.192094] bus_for_each_drv+0x10f/0x190 [ 63.192094] __device_attach+0x18e/0x370 [ 63.192094] bus_probe_device+0x123/0x170 [ 63.192094] device_add+0xd4d/0x1460 [ 63.192094] hid_add_device+0x30b/0x910 [ 63.192094] usbhid_probe+0x920/0xe00 [ 63.192094] usb_probe_interface+0x363/0x9a0 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [ 63.192094] bus_for_each_drv+0x10f/0x190 [ 63.192094] __device_attach+0x18e/0x370 [ 63.192094] bus_probe_device+0x123/0x170 [ 63.192094] device_add+0xd4d/0x1460 [ 63.192094] usb_set_configuration+0xd14/0x1880 [ 63.192094] usb_generic_driver_probe+0x78/0xb0 [ 63.192094] usb_probe_device+0xaa/0x2e0 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 ---truncado---"}], "lastModified": "2025-11-19T19:12:57.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "575B7891-8019-4D0D-B284-1B8DA410C942", "versionEndExcluding": "6.15.6", "versionStartIncluding": "6.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D4894DB-CCFE-4602-B1BF-3960B2E19A01"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09709862-E348-4378-8632-5A7813EDDC86"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "415BF58A-8197-43F5-B3D7-D1D63057A26E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A0517869-312D-4429-80C2-561086E1421C"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}