CVE-2025-38494

HIGH
2025-07-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Jul 28, 2025 - 12:15 nvd
HIGH 7.8

Tags

Linux Buffer Overflow Debian Linux Linux Kernel Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used.

Analysis

A vulnerability in the Linux kernel's HID (Human Interface Device) core subsystem allows local attackers with low privileges to bypass input validation checks when interacting with HID devices. The flaw occurs because certain code paths directly call low-level transport driver functions instead of using the hid_hw_raw_request() function, which performs critical buffer and length validation. With an EPSS score of only 0.01% and no known exploitation in the wild, this represents a local privilege escalation risk primarily concerning systems with untrusted local users.

Technical Context

The vulnerability affects the Human Interface Device (HID) subsystem in the Linux kernel, which handles communication with USB, Bluetooth, and other HID devices like keyboards, mice, and game controllers. The affected versions span from Linux kernel 4.14 through 6.16-rc3 based on the CPE data. The issue stems from improper input validation where certain code paths bypass the hid_hw_raw_request() function's safety checks by directly invoking transport driver functions. This allows invalid parameters including malformed buffer sizes or data to be passed to kernel drivers, potentially leading to memory corruption or other undefined behavior. While no specific CWE is assigned, this represents a classic input validation bypass vulnerability pattern.

Affected Products

The vulnerability affects Linux kernel versions from 4.14 through 6.16-rc3 as indicated by the CPE entries (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*). Specific affected versions include the 4.14.x, 4.19.x, 5.4.x, 5.10.x, 6.1.x, and 6.6.x stable branches, as well as 6.16 release candidates 1 through 3. Debian has issued security advisories for their LTS releases as referenced in debian-lts-announce/2025/01/msg00007.html and msg00008.html. Multiple kernel.org git commits provide patches for various kernel branches, with the mainline fix available at commit dd8e8314f2ce225dade5248dcfb9e2ac0edda624.

Remediation

Apply the vendor-provided patches by updating to the latest stable kernel version for your distribution branch. For specific kernel branches, patches are available at kernel.org including commits 0e5017d84d65 (4.14), 40e25aa7e4e0 (4.19), d18f63e848840100 (5.4), a62a895edb2b (5.10), 19d1314d46c0 (6.1), c2ca42f190b6 (6.6), and dd8e8314f2ce (mainline). Debian users should apply updates referenced in their security advisories. As a temporary mitigation, restrict local access to trusted users only and monitor for unusual HID device interactions in system logs, though patching remains the definitive solution.

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +39
POC: 0

Vendor Status

Share

CVE-2025-38494 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy