CVE-2025-39809— HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length
Affected Version Matrix 6
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-39809
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length The QuickI2C ACPI _DSD methods return ICRS and ISUB data with a trailing byte, making the actual length is one more byte than the structs defined. It caused stack-out-of-bounds and kernel crash: kernel: BUG: KASAN: stack-out-of-bounds in quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c] kernel: Write of size 12 at addr ffff888106d1f900 by task kworker/u33:2/75 kernel: kernel: CPU: 3 UID: 0 PID: 75 Comm: kworker/u33:2 Not tainted 6.16.0+ #3 PREEMPT(voluntary) kernel: Workqueue: async async_run_entry_fn kernel: Call Trace: kernel: <TASK> kernel: dump_stack_lvl+0x76/0xa0 kernel: print_report+0xd1/0x660 kernel: ? __pfx__raw_spin_lock_irqsave+0x10/0x10 kernel: ? __kasan_slab_free+0x5d/0x80 kernel: ? kasan_addr_to_slab+0xd/0xb0 kernel: kasan_report+0xe1/0x120 kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c] kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c] kernel: kasan_check_range+0x11c/0x200 kernel: __asan_memcpy+0x3b/0x80 kernel: quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c] kernel: ? __pfx_quicki2c_acpi_get_dsd_property.constprop.0+0x10/0x10 [intel_quicki2c] kernel: quicki2c_get_acpi_resources+0x237/0x730 [intel_quicki2c] [...] kernel: </TASK> kernel: kernel: The buggy address belongs to stack of task kworker/u33:2/75 kernel: and is located at offset 48 in frame: kernel: quicki2c_get_acpi_resources+0x0/0x730 [intel_quicki2c] kernel: kernel: This frame has 3 objects: kernel: [32, 36) 'hid_desc_addr' kernel: [48, 59) 'i2c_param' kernel: [80, 224) 'i2c_config' ACPI DSD methods return: \_SB.PC00.THC0.ICRS Buffer 000000003fdc947b 001 Len 0C = 0A 00 80 1A 06 00 00 00 00 00 00 00 \_SB.PC00.THC0.ISUB Buffer 00000000f2fcbdc4 001 Len 91 = 00 00 00 00 00 00 00 00 00 00 00 00 Adding reserved padding to quicki2c_subip_acpi_parameter/config.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于QuickI2C ACPI _DSD方法返回的ICRS和ISUB数据长度计算错误,可能导致栈溢出和内核崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-39809
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-39809
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-09-16 · 115 CVEs total
| CVE-2022-50340 | media: vimc: Fix wrong function called when vimc_init() fails | |
| CVE-2023-53307 | rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails | |
| CVE-2023-53305 | Bluetooth: L2CAP: Fix use-after-free | |
| CVE-2023-53304 | netfilter: nft_set_rbtree: fix overlap expiration walk | |
| CVE-2022-50351 | cifs: Fix xid leak in cifs_create() | |
| CVE-2022-50352 | net: hns: fix possible memory leak in hnae_ae_register() | |
| CVE-2022-50350 | scsi: target: iscsi: Fix a race condition between login_work and the login thread | |
| CVE-2022-50348 | nfsd: Fix a memory leak in an error handling path | |
| CVE-2022-50349 | misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() | |
| CVE-2022-50347 | mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host() | |
| CVE-2022-50346 | ext4: init quota for 'old.inode' in 'ext4_rename' | |
| CVE-2022-50343 | rapidio: fix possible name leaks when rio_add_device() fails | |
| CVE-2022-50344 | ext4: fix null-ptr-deref in ext4_write_info | |
| CVE-2022-50342 | floppy: Fix memory leak in do_floppy_init() | |
| CVE-2022-50341 | cifs: fix oops during encryption | |
| CVE-2025-39827 | net: rose: include node references in rose_neigh refcount | |
| CVE-2025-39830 | net/mlx5: HWS, Fix memory leak in hws_pool_buddy_init error path | |
| CVE-2025-39829 | trace/fgraph: Fix the warning caused by missing unregister notifier | |
| CVE-2025-39828 | atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). | |
| CVE-2025-39831 | fbnic: Move phylink resume out of service_task and into open/close |
Showing top 20 of 115 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
Same vendor: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
V. Comments for CVE-2025-39809
No comments yet