CVE-2025-21794
Published: 27 February 2025
Summary
CVE-2025-21794 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly prevents exploitation by requiring timely patching of the hid-thrustmaster driver to add the null terminator to the ep_addr array, eliminating the out-of-bounds read.
Memory protection mechanisms in the kernel mitigate stack out-of-bounds reads by enforcing safeguards against unauthorized memory access during USB endpoint processing.
Secure error handling ensures that invalid array iterations in usb_check_int_endpoints do not result in kernel crashes from unterminated endpoint arrays.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The OOB read vulnerability in the Linux kernel USB driver can be directly exploited by a local low-privileged attacker to trigger a kernel panic and DoS, matching Application or System Exploitation under Endpoint Denial of Service.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints() Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from hid-thrustmaster driver. This array is passed to usb_check_int_endpoints function from usb.c core…
more
driver, which executes a for loop that iterates over the elements of the passed array. Not finding a null element at the end of the array, it tries to read the next, non-existent element, crashing the kernel. To fix this, a 0 element was added at the end of the array to break the for loop. [1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad
Deeper analysisAI
CVE-2025-21794 is a stack out-of-bounds read vulnerability in the Linux kernel's hid-thrustmaster driver. The flaw arises when the ep_addr array is passed to the usb_check_int_endpoints() function from the usb.c core driver without a null terminator at the end. This causes a for loop in usb_check_int_endpoints() to iterate beyond the array's bounds, attempting to read a non-existent element and resulting in a kernel crash. The vulnerability, associated with CWE-125, was published on 2025-02-27 and carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction. Exploitation triggers the out-of-bounds read during handling of Thrustmaster HID USB devices, leading to a kernel panic and denial of service. The CVSS metrics indicate potential high confidentiality impact alongside high availability impact, stemming from the nature of the stack read.
Mitigation requires updating to a patched Linux kernel version. Upstream fixes, available in stable kernel repositories, add a 0 (null) element to the end of the ep_addr array in the hid-thrustmaster driver to properly terminate the loop in usb_check_int_endpoints(). Relevant patches include commits such as 0b43d98ff29be3144e86294486b1373b5df74c0e, 436f48c864186e9413d1b7c6e91767cc9e1a65b8, and others listed in kernel.org stable trees.
The issue was detected by Syzbot, a kernel fuzzer, as detailed at https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad. No real-world exploitation in the wild has been reported.
Details
- CWE(s)