CVE-2025-21794 (GCVE-0-2025-21794)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2025-11-03 20:59
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints() Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from hid-thrustmaster driver. This array is passed to usb_check_int_endpoints function from usb.c core driver, which executes a for loop that iterates over the elements of the passed array. Not finding a null element at the end of the array, it tries to read the next, non-existent element, crashing the kernel. To fix this, a 0 element was added at the end of the array to break the for loop. [1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad
Severity ?
7.1 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 220883fba32549a34f0734e4859d07f4dcd56992 , < 436f48c864186e9413d1b7c6e91767cc9e1a65b8 (git)
Affected: ae730deded66150204c494282969bfa98dc3ae67 , < f3ce05283f6cb6e19c220f5382def43dc5bd56b9 (git)
Affected: e5bcae4212a6a4b4204f46a1b8bcba08909d2007 , < cdd9a1ea23ff1a272547217100663e8de4eada40 (git)
Affected: 816e84602900f7f951458d743fa12769635ebfd5 , < 73e36a699b9f46322ffb81f072a24e64f728dba7 (git)
Affected: 50420d7c79c37a3efe4010ff9b1bb14bc61ebccf , < 0b43d98ff29be3144e86294486b1373b5df74c0e (git)
Create a notification for this product.
    Linux Linux Affected: 6.6.76 , < 6.6.79 (semver)
Affected: 6.12.13 , < 6.12.16 (semver)
Affected: 6.13.2 , < 6.13.4 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21794",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:28:58.615776Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-125",
                "description": "CWE-125 Out-of-bounds Read",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:36:39.154Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:59:37.420Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-thrustmaster.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "436f48c864186e9413d1b7c6e91767cc9e1a65b8",
              "status": "affected",
              "version": "220883fba32549a34f0734e4859d07f4dcd56992",
              "versionType": "git"
            },
            {
              "lessThan": "f3ce05283f6cb6e19c220f5382def43dc5bd56b9",
              "status": "affected",
              "version": "ae730deded66150204c494282969bfa98dc3ae67",
              "versionType": "git"
            },
            {
              "lessThan": "cdd9a1ea23ff1a272547217100663e8de4eada40",
              "status": "affected",
              "version": "e5bcae4212a6a4b4204f46a1b8bcba08909d2007",
              "versionType": "git"
            },
            {
              "lessThan": "73e36a699b9f46322ffb81f072a24e64f728dba7",
              "status": "affected",
              "version": "816e84602900f7f951458d743fa12769635ebfd5",
              "versionType": "git"
            },
            {
              "lessThan": "0b43d98ff29be3144e86294486b1373b5df74c0e",
              "status": "affected",
              "version": "50420d7c79c37a3efe4010ff9b1bb14bc61ebccf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-thrustmaster.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.6.79",
              "status": "affected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.16",
              "status": "affected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThan": "6.13.4",
              "status": "affected",
              "version": "6.13.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "6.6.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "6.12.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "6.13.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()\n\nSyzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from\nhid-thrustmaster driver. This array is passed to usb_check_int_endpoints\nfunction from usb.c core driver, which executes a for loop that iterates\nover the elements of the passed array. Not finding a null element at the end of\nthe array, it tries to read the next, non-existent element, crashing the kernel.\n\nTo fix this, a 0 element was added at the end of the array to break the for\nloop.\n\n[1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:22.682Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/436f48c864186e9413d1b7c6e91767cc9e1a65b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3ce05283f6cb6e19c220f5382def43dc5bd56b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdd9a1ea23ff1a272547217100663e8de4eada40"
        },
        {
          "url": "https://git.kernel.org/stable/c/73e36a699b9f46322ffb81f072a24e64f728dba7"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b43d98ff29be3144e86294486b1373b5df74c0e"
        }
      ],
      "title": "HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21794",
    "datePublished": "2025-02-27T02:18:30.907Z",
    "dateReserved": "2024-12-29T08:45:45.767Z",
    "dateUpdated": "2025-11-03T20:59:37.420Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21794\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T03:15:20.293\",\"lastModified\":\"2025-11-03T21:19:10.753\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()\\n\\nSyzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from\\nhid-thrustmaster driver. This array is passed to usb_check_int_endpoints\\nfunction from usb.c core driver, which executes a for loop that iterates\\nover the elements of the passed array. Not finding a null element at the end of\\nthe array, it tries to read the next, non-existent element, crashing the kernel.\\n\\nTo fix this, a 0 element was added at the end of the array to break the for\\nloop.\\n\\n[1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: hid-thrustmaster: correcci\u00f3n de lectura fuera de los l\u00edmites de pila en usb_check_int_endpoints() Syzbot[1] ha detectado una lectura fuera de los l\u00edmites de pila de la matriz ep_addr del controlador hid-thrustmaster. Esta matriz se pasa a la funci\u00f3n usb_check_int_endpoints del controlador del n\u00facleo usb.c, que ejecuta un bucle for que itera sobre los elementos de la matriz pasada. Al no encontrar un elemento nulo al final de la matriz, intenta leer el siguiente elemento inexistente, lo que hace que el kernel se bloquee. Para corregir esto, se agreg\u00f3 un elemento 0 al final de la matriz para romper el bucle for. [1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6.76\",\"versionEndExcluding\":\"6.6.79\",\"matchCriteriaId\":\"D48B56A5-E076-490E-B5A6-F3AB84C22E89\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.12.13\",\"versionEndExcluding\":\"6.12.16\",\"matchCriteriaId\":\"88327018-7D74-4C95-9672-29D99D630F66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13.2\",\"versionEndExcluding\":\"6.13.4\",\"matchCriteriaId\":\"25A9DD1C-2E5A-4631-9F6A-B06B38D2D88B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"186716B6-2B66-4BD0-852E-D48E71C0C85F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D3E781C-403A-498F-9DA9-ECEE50F41E75\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0b43d98ff29be3144e86294486b1373b5df74c0e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/436f48c864186e9413d1b7c6e91767cc9e1a65b8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/73e36a699b9f46322ffb81f072a24e64f728dba7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cdd9a1ea23ff1a272547217100663e8de4eada40\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f3ce05283f6cb6e19c220f5382def43dc5bd56b9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.