{"id":"AZL-66491","summary":"CVE-2025-38556 affecting package kernel for versions less than 6.6.119.3-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Harden s32ton() against conversion to 0 bits\n\nTesting by the syzbot fuzzer showed that the HID core gets a\nshift-out-of-bounds exception when it tries to convert a 32-bit\nquantity to a 0-bit quantity.  Ideally this should never occur, but\nthere are buggy devices and some might have a report field with size\nset to zero; we shouldn't reject the report or the device just because\nof that.\n\nInstead, harden the s32ton() routine so that it returns a reasonable\nresult instead of crashing when it is called with the number of bits\nset to 0 -- the same as what snto32() does.","modified":"2026-04-01T05:20:59.215388Z","published":"2025-08-19T17:15:31Z","upstream":["CVE-2025-38556"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38556"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.119.3-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66491.json"}}],"schema_version":"1.7.5"}