CVE-2025-39806
Description
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bug by ensuring the descriptor size is at least 608 bytes before accessing it.
Below is the KASAN splat after the out of bounds access happens:
[ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3 [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04 [ 13.673297] Call Trace: [ 13.673297] [ 13.673297] dump_stack_lvl+0x5f/0x80 [ 13.673297] print_report+0xd1/0x660 [ 13.673297] kasan_report+0xe5/0x120 [ 13.673297] __asan_report_load1_noabort+0x18/0x20 [ 13.673297] mt_report_fixup+0x103/0x110 [ 13.673297] hid_open_report+0x1ef/0x810 [ 13.673297] mt_probe+0x422/0x960 [ 13.673297] hid_device_probe+0x2e2/0x6f0 [ 13.673297] really_probe+0x1c6/0x6b0 [ 13.673297] __driver_probe_device+0x24f/0x310 [ 13.673297] driver_probe_device+0x4e/0x220 [ 13.673297] __device_attach_driver+0x169/0x320 [ 13.673297] bus_for_each_drv+0x11d/0x1b0 [ 13.673297] __device_attach+0x1b8/0x3e0 [ 13.673297] device_initial_probe+0x12/0x20 [ 13.673297] bus_probe_device+0x13d/0x180 [ 13.673297] device_add+0xe3a/0x1670 [ 13.673297] hid_add_device+0x31d/0xa40 [...]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, the HID multitouch driver's mt_report_fixup() lacks bounds checking, allowing a malicious device to cause a slab out-of-bounds read.
Vulnerability
Details
The Linux kernel's HID multitouch driver contains a slab out-of-bounds read vulnerability in the mt_report_fixup() function. When processing a HID report descriptor, the function attempts to patch byte offset 607 with 0x25 after checking if that byte is 0x15. However, it fails to verify that the descriptor is at least 608 bytes long, allowing a malicious device to provide a smaller descriptor and trigger an out-of-bounds access.
Exploitation
An attacker with physical access or the ability to connect a malicious HID device (e.g., via USB or Bluetooth) can exploit this vulnerability. No authentication is required; the device is processed during kernel probe. The out-of-bounds read occurs when mt_report_fixup() is called from hid_open_report() during device initialization.
Impact
Successful exploitation can cause a kernel crash (as demonstrated by the KASAN report) or potentially leak sensitive kernel memory. The CVSS v3 score of 7.1 (High) reflects the risk of denial of service or information disclosure.
Mitigation
The fix adds a bounds check ensuring the descriptor size is at least 608 bytes before accessing offset 607. Patches have been applied to the stable kernel trees [2][3][4]. Siemens has also listed this CVE in their advisory for the SIMATIC CN 4100 product [1]. Users should update their kernels to the latest patched versions.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 6.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/0379eb8691b9c4477da0277ae0832036ca4410b4nvdPatch
- git.kernel.org/stable/c/3055309821dd3da92888f88bad10f0324c3c89fenvdPatch
- git.kernel.org/stable/c/4263e5851779f7d8ebfbc9cc7d2e9b0217adba8dnvdPatch
- git.kernel.org/stable/c/7ab7311c43ae19c66c53ccd8c5052a9072a4e338nvdPatch
- git.kernel.org/stable/c/c13e95587583d018cfbcc277df7e02d41902ac5anvdPatch
- git.kernel.org/stable/c/d4e6e2680807671e1c73cd6a986b33659ce92f2bnvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories