CVE-2025-21794

CVE-2025-21794 is a stack out-of-bounds read vulnerability in the Linux kernel's hid-thrustmaster driver. The flaw arises when the ep_addr array is passed to the usb_check_int_endpoints() function from the usb.c core driver without a null terminator at the end. This causes a for loop in usb_check_int_endpoints() to iterate beyond the array's bounds, attempting to read a non-existent element and resulting in a kernel crash. The vulnerability, associated with CWE-125, was published on 2025-02-27 and carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction. Exploitation triggers the out-of-bounds read during handling of Thrustmaster HID USB devices, leading to a kernel panic and denial of service. The CVSS metrics indicate potential high confidentiality impact alongside high availability impact, stemming from the nature of the stack read.

Mitigation requires updating to a patched Linux kernel version. Upstream fixes, available in stable kernel repositories, add a 0 (null) element to the end of the ep_addr array in the hid-thrustmaster driver to properly terminate the loop in usb_check_int_endpoints(). Relevant patches include commits such as 0b43d98ff29be3144e86294486b1373b5df74c0e, 436f48c864186e9413d1b7c6e91767cc9e1a65b8, and others listed in kernel.org stable trees.

The issue was detected by Syzbot, a kernel fuzzer, as detailed at https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad. No real-world exploitation in the wild has been reported.