{"id":"CVE-2025-38394","summary":"HID: appletb-kbd: fix memory corruption of input_handler_list","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appletb-kbd: fix memory corruption of input_handler_list\n\nIn appletb_kbd_probe an input handler is initialised and then registered\nwith input core through input_register_handler(). When this happens input\ncore will add the input handler (specifically its node) to the global\ninput_handler_list. The input_handler_list is central to the functionality\nof input core and is traversed in various places in input core. An example\nof this is when a new input device is plugged in and gets registered with\ninput core.\n\nThe input_handler in probe is allocated as device managed memory. If a\nprobe failure occurs after input_register_handler() the input_handler\nmemory is freed, yet it will remain in the input_handler_list. This\neffectively means the input_handler_list contains a dangling pointer\nto data belonging to a freed input handler.\n\nThis causes an issue when any other input device is plugged in - in my\ncase I had an old PixArt HP USB optical mouse and I decided to\nplug it in after a failure occurred after input_register_handler().\nThis lead to the registration of this input device via\ninput_register_device which involves traversing over every handler\nin the corrupted input_handler_list and calling input_attach_handler(),\ngiving each handler a chance to bind to newly registered device.\n\nThe core of this bug is a UAF which causes memory corruption of\ninput_handler_list and to fix it we must ensure the input handler is\nunregistered from input core, this is done through\ninput_unregister_handler().\n\n[   63.191597] ==================================================================\n[   63.192094] BUG: KASAN: slab-use-after-free in input_attach_handler.isra.0+0x1a9/0x1e0\n[   63.192094] Read of size 8 at addr ffff888105ea7c80 by task kworker/0:2/54\n[   63.192094]\n[   63.192094] CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.16.0-rc2-00321-g2aa6621d\n[   63.192094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.164\n[   63.192094] Workqueue: usb_hub_wq hub_event\n[   63.192094] Call Trace:\n[   63.192094]  \u003cTASK\u003e\n[   63.192094]  dump_stack_lvl+0x53/0x70\n[   63.192094]  print_report+0xce/0x670\n[   63.192094]  kasan_report+0xce/0x100\n[   63.192094]  input_attach_handler.isra.0+0x1a9/0x1e0\n[   63.192094]  input_register_device+0x76c/0xd00\n[   63.192094]  hidinput_connect+0x686d/0xad60\n[   63.192094]  hid_connect+0xf20/0x1b10\n[   63.192094]  hid_hw_start+0x83/0x100\n[   63.192094]  hid_device_probe+0x2d1/0x680\n[   63.192094]  really_probe+0x1c3/0x690\n[   63.192094]  __driver_probe_device+0x247/0x300\n[   63.192094]  driver_probe_device+0x49/0x210\n[   63.192094]  __device_attach_driver+0x160/0x320\n[   63.192094]  bus_for_each_drv+0x10f/0x190\n[   63.192094]  __device_attach+0x18e/0x370\n[   63.192094]  bus_probe_device+0x123/0x170\n[   63.192094]  device_add+0xd4d/0x1460\n[   63.192094]  hid_add_device+0x30b/0x910\n[   63.192094]  usbhid_probe+0x920/0xe00\n[   63.192094]  usb_probe_interface+0x363/0x9a0\n[   63.192094]  really_probe+0x1c3/0x690\n[   63.192094]  __driver_probe_device+0x247/0x300\n[   63.192094]  driver_probe_device+0x49/0x210\n[   63.192094]  __device_attach_driver+0x160/0x320\n[   63.192094]  bus_for_each_drv+0x10f/0x190\n[   63.192094]  __device_attach+0x18e/0x370\n[   63.192094]  bus_probe_device+0x123/0x170\n[   63.192094]  device_add+0xd4d/0x1460\n[   63.192094]  usb_set_configuration+0xd14/0x1880\n[   63.192094]  usb_generic_driver_probe+0x78/0xb0\n[   63.192094]  usb_probe_device+0xaa/0x2e0\n[   63.192094]  really_probe+0x1c3/0x690\n[   63.192094]  __driver_probe_device+0x247/0x300\n[   63.192094]  driver_probe_device+0x49/0x210\n[   63.192094]  __device_attach_driver+0x160/0x320\n[   63.192094]  bus_for_each_drv+0x10f/0x190\n[   63.192094]  __device_attach+0x18e/0x370\n[   63.192094]  bus_probe_device+0x123/0x170\n[   63.192094]  device_add+0xd4d/0x1460\n[   63.192094]  usb_new_device+0x7b4/0x1000\n[   63.192094]  hub_event+0x234d/0x3\n---truncated---","modified":"2026-04-02T12:47:57.811062Z","published":"2025-07-25T12:53:39.017Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38394.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/6ad40b07e15c29712d9a4b8096914ccd82e3fc17"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c80f2b047d5cc42fbd2dff9d1942d4ba7545100f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38394.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38394"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7d62ba8deacf94f546a0b9dd9bc86617343187a3"},{"fixed":"6ad40b07e15c29712d9a4b8096914ccd82e3fc17"},{"fixed":"c80f2b047d5cc42fbd2dff9d1942d4ba7545100f"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38394.json"}}],"schema_version":"1.7.5"}