Out-of-Bounds Access Vulnerability in Linux Kernel HID Multitouch Feature
CVE-2025-39806
What is CVE-2025-39806?
A vulnerability exists in the Linux kernel within the HID multitouch functionality, specifically in the mt_report_fixup() method. This issue arises when a malicious HID device sends a report descriptor smaller than the expected size of 607 bytes. The mt_report_fixup() function attempts to modify the byte at offset 607 without validating the size of the descriptor first. This oversight may lead to a slab out-of-bounds access, potentially allowing an attacker to execute arbitrary code or cause a denial of service. The vulnerability has been addressed by enforcing a minimum descriptor size of 608 bytes before any access is attempted, thus preventing any malicious exploitation.
Affected Version(s)
Linux 7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0 < 4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d
Linux 45ec9f17ce46417fc4eccecf388c99e81fb7fcc1 < 7ab7311c43ae19c66c53ccd8c5052a9072a4e338
Linux 1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b