{"id":"AZL-67422","summary":"CVE-2025-39824 affecting package kernel for versions less than 6.6.104.2-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: asus: fix UAF via HID_CLAIMED_INPUT validation\n\nAfter hid_hw_start() is called hidinput_connect() will eventually be\ncalled to set up the device with the input layer since the\nHID_CONNECT_DEFAULT connect mask is used. During hidinput_connect()\nall input and output reports are processed and corresponding hid_inputs\nare allocated and configured via hidinput_configure_usages(). This\nprocess involves slot tagging report fields and configuring usages\nby setting relevant bits in the capability bitmaps. However it is possible\nthat the capability bitmaps are not set at all leading to the subsequent\nhidinput_has_been_populated() check to fail leading to the freeing of the\nhid_input and the underlying input device.\n\nThis becomes problematic because a malicious HID device like a\nASUS ROG N-Key keyboard can trigger the above scenario via a\nspecially crafted descriptor which then leads to a user-after-free\nwhen the name of the freed input device is written to later on after\nhid_hw_start(). Below, report 93 intentionally utilises the\nHID_UP_UNDEFINED Usage Page which is skipped during usage\nconfiguration, leading to the frees.\n\n0x05, 0x0D,        // Usage Page (Digitizer)\n0x09, 0x05,        // Usage (Touch Pad)\n0xA1, 0x01,        // Collection (Application)\n0x85, 0x0D,        //   Report ID (13)\n0x06, 0x00, 0xFF,  //   Usage Page (Vendor Defined 0xFF00)\n0x09, 0xC5,        //   Usage (0xC5)\n0x15, 0x00,        //   Logical Minimum (0)\n0x26, 0xFF, 0x00,  //   Logical Maximum (255)\n0x75, 0x08,        //   Report Size (8)\n0x95, 0x04,        //   Report Count (4)\n0xB1, 0x02,        //   Feature (Data,Var,Abs)\n0x85, 0x5D,        //   Report ID (93)\n0x06, 0x00, 0x00,  //   Usage Page (Undefined)\n0x09, 0x01,        //   Usage (0x01)\n0x15, 0x00,        //   Logical Minimum (0)\n0x26, 0xFF, 0x00,  //   Logical Maximum (255)\n0x75, 0x08,        //   Report Size (8)\n0x95, 0x1B,        //   Report Count (27)\n0x81, 0x02,        //   Input (Data,Var,Abs)\n0xC0,              // End Collection\n\nBelow is the KASAN splat after triggering the UAF:\n\n[   21.672709] ==================================================================\n[   21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80\n[   21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54\n[   21.673700]\n[   21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary)\n[   21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n[   21.673700] Call Trace:\n[   21.673700]  \u003cTASK\u003e\n[   21.673700]  dump_stack_lvl+0x5f/0x80\n[   21.673700]  print_report+0xd1/0x660\n[   21.673700]  kasan_report+0xe5/0x120\n[   21.673700]  __asan_report_store8_noabort+0x1b/0x30\n[   21.673700]  asus_probe+0xeeb/0xf80\n[   21.673700]  hid_device_probe+0x2ee/0x700\n[   21.673700]  really_probe+0x1c6/0x6b0\n[   21.673700]  __driver_probe_device+0x24f/0x310\n[   21.673700]  driver_probe_device+0x4e/0x220\n[...]\n[   21.673700]\n[   21.673700] Allocated by task 54:\n[   21.673700]  kasan_save_stack+0x3d/0x60\n[   21.673700]  kasan_save_track+0x18/0x40\n[   21.673700]  kasan_save_alloc_info+0x3b/0x50\n[   21.673700]  __kasan_kmalloc+0x9c/0xa0\n[   21.673700]  __kmalloc_cache_noprof+0x139/0x340\n[   21.673700]  input_allocate_device+0x44/0x370\n[   21.673700]  hidinput_connect+0xcb6/0x2630\n[   21.673700]  hid_connect+0xf74/0x1d60\n[   21.673700]  hid_hw_start+0x8c/0x110\n[   21.673700]  asus_probe+0x5a3/0xf80\n[   21.673700]  hid_device_probe+0x2ee/0x700\n[   21.673700]  really_probe+0x1c6/0x6b0\n[   21.673700]  __driver_probe_device+0x24f/0x310\n[   21.673700]  driver_probe_device+0x4e/0x220\n[...]\n[   21.673700]\n[   21.673700] Freed by task 54:\n[   21.673700]  kasan_save_stack+0x3d/0x60\n[   21.673700]  kasan_save_track+0x18/0x40\n[   21.673700]  kasan_save_free_info+0x3f/0x60\n[   21.673700]  __kasan_slab_free+0x3c/0x50\n[   21.673700]  kfre\n---truncated---","modified":"2026-04-01T05:21:12.513191Z","published":"2025-09-16T13:16:01Z","upstream":["CVE-2025-39824"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39824"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.104.2-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-67422.json"}}],"schema_version":"1.7.5"}