CVE-2025-21948: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: HID: appleir: Fix potential NULL dereference at raw event handle Syzkaller reports a NULL pointer dereference issue in input_event(). BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline] BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395 Read of size 8 at addr 0000000000000028 by task syz-executor199/2949 CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 kasan_report+0xd9/0x110 mm/kasan/report.c:602 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:68 [inline] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] is_event_supported drivers/input/input.c:67 [inline] input_event+0x42/0xa0 drivers/input/input.c:395 input_report_key include/linux/input.h:439 [inline] key_down drivers/hid/hid-appleir.c:159 [inline] appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232 __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111 hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484 __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734 dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993 __run_hrtimer kernel/time/hrtimer.c:1739 [inline] __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820 handle_softirqs+0x206/0x8d0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185 add_timer+0x62/0x90 kernel/time/timer.c:1295 schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98 usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645 usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784 hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This happens due to the malformed report items sent by the emulated device which results in a report, that has no fields, being added to the report list. Due to this appleir_input_configured() is never called, hidinput_connect() fails which results in the HID_CLAIMED_INPUT flag is not being set. However, it does not make appleir_probe() fail and lets the event callback to be called without the associated input device. Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook early if the driver didn't claim any input_dev for some reason. Moreover, some other hid drivers accessing input_dev in their event callbacks do have similar checks, too. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI Analysis
Technical Summary
CVE-2025-21948 is a vulnerability identified in the Linux kernel specifically affecting the HID (Human Interface Device) subsystem, more precisely the appleir driver which handles Apple infrared remote controls. The issue arises from a NULL pointer dereference in the input_event() function due to malformed HID report items sent by an emulated device. These malformed reports contain no fields and are erroneously added to the report list. This leads to the appleir_input_configured() function not being called, causing the hidinput_connect() function to fail. Consequently, the HID_CLAIMED_INPUT flag is not set, but the appleir_probe() function does not fail, allowing event callbacks to be invoked without an associated input device. This results in a NULL pointer dereference when the event callback attempts to access the non-existent input device, causing a kernel crash. The vulnerability was discovered through fuzzing with Syzkaller by the Linux Verification Center. The root cause is a lack of proper validation and checks for the HID_CLAIMED_INPUT flag before processing input events in the appleir driver. Similar HID drivers have safeguards that appleir lacked. The fix involves adding a check for the HID_CLAIMED_INPUT flag to exit early from the event hook if no input device was claimed, preventing the NULL dereference. This vulnerability affects Linux kernel versions around 6.13.0-rc4 and potentially other versions using the affected appleir driver code. It is a denial-of-service (DoS) type flaw that can be triggered by sending crafted HID reports from an emulated or malicious USB HID device, causing the kernel to crash due to the NULL pointer dereference. No evidence of exploitation in the wild has been reported to date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily of denial-of-service attacks on Linux-based systems that use the affected kernel versions and have the appleir driver enabled. Systems that accept USB HID devices, including virtualized environments or cloud instances that emulate USB devices, could be targeted by attackers to cause kernel panics and system crashes, leading to service disruptions. This could impact critical infrastructure, enterprise servers, and workstations running Linux kernels with the vulnerable appleir driver. Although the vulnerability does not directly allow privilege escalation or remote code execution, the resulting instability and downtime could affect business continuity, especially in sectors relying heavily on Linux servers such as finance, telecommunications, and public services. The vulnerability is less likely to impact desktop users unless they use Apple infrared remote devices or similar HID devices. The lack of known exploits reduces immediate risk, but the ease of triggering a kernel crash via crafted USB HID reports means attackers with physical or virtual device access could exploit it. European organizations with strict uptime and availability requirements should prioritize patching to avoid potential denial-of-service conditions.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2025-21948 as soon as they become available from trusted sources or Linux distribution vendors. 2. If patching immediately is not feasible, consider disabling or blacklisting the appleir driver module if it is not required in your environment to prevent the vulnerable code from being executed. 3. Implement strict USB device control policies to restrict or monitor the connection of unknown or untrusted USB HID devices, especially in sensitive or critical systems. 4. In virtualized or cloud environments, audit and control emulated USB device configurations to prevent injection of malformed HID reports. 5. Employ kernel crash monitoring and alerting to detect and respond quickly to any kernel panics that may indicate exploitation attempts. 6. Maintain updated inventories of Linux kernel versions in use and track vendor advisories for timely patch deployment. 7. Conduct internal penetration testing or fuzzing on Linux systems with HID drivers to proactively identify similar issues.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain, Belgium
CVE-2025-21948: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: HID: appleir: Fix potential NULL dereference at raw event handle Syzkaller reports a NULL pointer dereference issue in input_event(). BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline] BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395 Read of size 8 at addr 0000000000000028 by task syz-executor199/2949 CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 kasan_report+0xd9/0x110 mm/kasan/report.c:602 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:68 [inline] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] is_event_supported drivers/input/input.c:67 [inline] input_event+0x42/0xa0 drivers/input/input.c:395 input_report_key include/linux/input.h:439 [inline] key_down drivers/hid/hid-appleir.c:159 [inline] appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232 __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111 hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484 __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734 dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993 __run_hrtimer kernel/time/hrtimer.c:1739 [inline] __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820 handle_softirqs+0x206/0x8d0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185 add_timer+0x62/0x90 kernel/time/timer.c:1295 schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98 usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645 usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784 hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This happens due to the malformed report items sent by the emulated device which results in a report, that has no fields, being added to the report list. Due to this appleir_input_configured() is never called, hidinput_connect() fails which results in the HID_CLAIMED_INPUT flag is not being set. However, it does not make appleir_probe() fail and lets the event callback to be called without the associated input device. Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook early if the driver didn't claim any input_dev for some reason. Moreover, some other hid drivers accessing input_dev in their event callbacks do have similar checks, too. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI-Powered Analysis
Technical Analysis
CVE-2025-21948 is a vulnerability identified in the Linux kernel specifically affecting the HID (Human Interface Device) subsystem, more precisely the appleir driver which handles Apple infrared remote controls. The issue arises from a NULL pointer dereference in the input_event() function due to malformed HID report items sent by an emulated device. These malformed reports contain no fields and are erroneously added to the report list. This leads to the appleir_input_configured() function not being called, causing the hidinput_connect() function to fail. Consequently, the HID_CLAIMED_INPUT flag is not set, but the appleir_probe() function does not fail, allowing event callbacks to be invoked without an associated input device. This results in a NULL pointer dereference when the event callback attempts to access the non-existent input device, causing a kernel crash. The vulnerability was discovered through fuzzing with Syzkaller by the Linux Verification Center. The root cause is a lack of proper validation and checks for the HID_CLAIMED_INPUT flag before processing input events in the appleir driver. Similar HID drivers have safeguards that appleir lacked. The fix involves adding a check for the HID_CLAIMED_INPUT flag to exit early from the event hook if no input device was claimed, preventing the NULL dereference. This vulnerability affects Linux kernel versions around 6.13.0-rc4 and potentially other versions using the affected appleir driver code. It is a denial-of-service (DoS) type flaw that can be triggered by sending crafted HID reports from an emulated or malicious USB HID device, causing the kernel to crash due to the NULL pointer dereference. No evidence of exploitation in the wild has been reported to date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily of denial-of-service attacks on Linux-based systems that use the affected kernel versions and have the appleir driver enabled. Systems that accept USB HID devices, including virtualized environments or cloud instances that emulate USB devices, could be targeted by attackers to cause kernel panics and system crashes, leading to service disruptions. This could impact critical infrastructure, enterprise servers, and workstations running Linux kernels with the vulnerable appleir driver. Although the vulnerability does not directly allow privilege escalation or remote code execution, the resulting instability and downtime could affect business continuity, especially in sectors relying heavily on Linux servers such as finance, telecommunications, and public services. The vulnerability is less likely to impact desktop users unless they use Apple infrared remote devices or similar HID devices. The lack of known exploits reduces immediate risk, but the ease of triggering a kernel crash via crafted USB HID reports means attackers with physical or virtual device access could exploit it. European organizations with strict uptime and availability requirements should prioritize patching to avoid potential denial-of-service conditions.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2025-21948 as soon as they become available from trusted sources or Linux distribution vendors. 2. If patching immediately is not feasible, consider disabling or blacklisting the appleir driver module if it is not required in your environment to prevent the vulnerable code from being executed. 3. Implement strict USB device control policies to restrict or monitor the connection of unknown or untrusted USB HID devices, especially in sensitive or critical systems. 4. In virtualized or cloud environments, audit and control emulated USB device configurations to prevent injection of malformed HID reports. 5. Employ kernel crash monitoring and alerting to detect and respond quickly to any kernel panics that may indicate exploitation attempts. 6. Maintain updated inventories of Linux kernel versions in use and track vendor advisories for timely patch deployment. 7. Conduct internal penetration testing or fuzzing on Linux systems with HID drivers to proactively identify similar issues.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.790Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8cb2
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 10:58:25 AM
Last updated: 8/12/2025, 2:42:42 PM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.