Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-39824— HID: asus: fix UAF via HID_CLAIMED_INPUT validation

EPSS 0.02% · P5

Affected Version Matrix 18

VendorProductVersion RangeStatus
LinuxLinux9ce12d8be12c94334634dd57050444910415e45f< 9a9e4a8317437bf944fa017c66e1e23a0368b5c7affected
9ce12d8be12c94334634dd57050444910415e45f< 7170122e2ae4ab378c9cdf7cc54dea8b0abbbca5affected
9ce12d8be12c94334634dd57050444910415e45f< eaae728e7335b5dbad70966e2bd520a731fdf7b2affected
9ce12d8be12c94334634dd57050444910415e45f< a8ca8fe7f516d27ece3afb995c3bd4d07dcbe62caffected
9ce12d8be12c94334634dd57050444910415e45f< 5f3c0839b173f7f33415eb098331879e547d1d2daffected
9ce12d8be12c94334634dd57050444910415e45f< c0d77e3441a92d0b4958193c9ac1c3f81c6f1d1caffected
9ce12d8be12c94334634dd57050444910415e45f< 72a4ec018c9e9bc52f4f80eb3afb5d6a6b752275affected
9ce12d8be12c94334634dd57050444910415e45f< d3af6ca9a8c34bbd8cff32b469b84c9021c9e7e4affected
… +10 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-39824

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
HID: asus: fix UAF via HID_CLAIMED_INPUT validation
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: HID: asus: fix UAF via HID_CLAIMED_INPUT validation After hid_hw_start() is called hidinput_connect() will eventually be called to set up the device with the input layer since the HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect() all input and output reports are processed and corresponding hid_inputs are allocated and configured via hidinput_configure_usages(). This process involves slot tagging report fields and configuring usages by setting relevant bits in the capability bitmaps. However it is possible that the capability bitmaps are not set at all leading to the subsequent hidinput_has_been_populated() check to fail leading to the freeing of the hid_input and the underlying input device. This becomes problematic because a malicious HID device like a ASUS ROG N-Key keyboard can trigger the above scenario via a specially crafted descriptor which then leads to a user-after-free when the name of the freed input device is written to later on after hid_hw_start(). Below, report 93 intentionally utilises the HID_UP_UNDEFINED Usage Page which is skipped during usage configuration, leading to the frees. 0x05, 0x0D, // Usage Page (Digitizer) 0x09, 0x05, // Usage (Touch Pad) 0xA1, 0x01, // Collection (Application) 0x85, 0x0D, // Report ID (13) 0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00) 0x09, 0xC5, // Usage (0xC5) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x04, // Report Count (4) 0xB1, 0x02, // Feature (Data,Var,Abs) 0x85, 0x5D, // Report ID (93) 0x06, 0x00, 0x00, // Usage Page (Undefined) 0x09, 0x01, // Usage (0x01) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x1B, // Report Count (27) 0x81, 0x02, // Input (Data,Var,Abs) 0xC0, // End Collection Below is the KASAN splat after triggering the UAF: [ 21.672709] ================================================================== [ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80 [ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54 [ 21.673700] [ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary) [ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 21.673700] Call Trace: [ 21.673700] <TASK> [ 21.673700] dump_stack_lvl+0x5f/0x80 [ 21.673700] print_report+0xd1/0x660 [ 21.673700] kasan_report+0xe5/0x120 [ 21.673700] __asan_report_store8_noabort+0x1b/0x30 [ 21.673700] asus_probe+0xeeb/0xf80 [ 21.673700] hid_device_probe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driver_probe_device+0x24f/0x310 [ 21.673700] driver_probe_device+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Allocated by task 54: [ 21.673700] kasan_save_stack+0x3d/0x60 [ 21.673700] kasan_save_track+0x18/0x40 [ 21.673700] kasan_save_alloc_info+0x3b/0x50 [ 21.673700] __kasan_kmalloc+0x9c/0xa0 [ 21.673700] __kmalloc_cache_noprof+0x139/0x340 [ 21.673700] input_allocate_device+0x44/0x370 [ 21.673700] hidinput_connect+0xcb6/0x2630 [ 21.673700] hid_connect+0xf74/0x1d60 [ 21.673700] hid_hw_start+0x8c/0x110 [ 21.673700] asus_probe+0x5a3/0xf80 [ 21.673700] hid_device_probe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driver_probe_device+0x24f/0x310 [ 21.673700] driver_probe_device+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Freed by task 54: [ 21.673700] kasan_save_stack+0x3d/0x60 [ 21.673700] kasan_save_track+0x18/0x40 [ 21.673700] kasan_save_free_info+0x3f/0x60 [ 21.673700] __kasan_slab_free+0x3c/0x50 [ 21.673700] kfre ---truncated---
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于HID_CLAIMED_INPUT验证不当,可能导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 9ce12d8be12c94334634dd57050444910415e45f ~ 9a9e4a8317437bf944fa017c66e1e23a0368b5c7 -
LinuxLinux 4.10 -

II. Public POCs for CVE-2025-39824

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-39824

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-09-16 · 115 CVEs total

CVE-2022-50340media: vimc: Fix wrong function called when vimc_init() fails
CVE-2023-53307rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails
CVE-2023-53305Bluetooth: L2CAP: Fix use-after-free
CVE-2023-53304netfilter: nft_set_rbtree: fix overlap expiration walk
CVE-2022-50351cifs: Fix xid leak in cifs_create()
CVE-2022-50352net: hns: fix possible memory leak in hnae_ae_register()
CVE-2022-50350scsi: target: iscsi: Fix a race condition between login_work and the login thread
CVE-2022-50348nfsd: Fix a memory leak in an error handling path
CVE-2022-50349misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
CVE-2022-50347mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
CVE-2022-50346ext4: init quota for 'old.inode' in 'ext4_rename'
CVE-2022-50343rapidio: fix possible name leaks when rio_add_device() fails
CVE-2022-50344ext4: fix null-ptr-deref in ext4_write_info
CVE-2022-50342floppy: Fix memory leak in do_floppy_init()
CVE-2022-50341cifs: fix oops during encryption
CVE-2025-39827net: rose: include node references in rose_neigh refcount
CVE-2025-39830net/mlx5: HWS, Fix memory leak in hws_pool_buddy_init error path
CVE-2025-39829trace/fgraph: Fix the warning caused by missing unregister notifier
CVE-2025-39828atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().
CVE-2025-39831fbnic: Move phylink resume out of service_task and into open/close

Showing top 20 of 115 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-39824

No comments yet

Leave a comment