{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21948","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.790Z","datePublished":"2025-04-01T15:41:09.949Z","dateUpdated":"2026-05-11T21:09:38.330Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:09:38.330Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appleir: Fix potential NULL dereference at raw event handle\n\nSyzkaller reports a NULL pointer dereference issue in input_event().\n\nBUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]\nBUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nBUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline]\nBUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395\nRead of size 8 at addr 0000000000000028 by task syz-executor199/2949\n\nCPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n <IRQ>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n kasan_report+0xd9/0x110 mm/kasan/report.c:602\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n instrument_atomic_read include/linux/instrumented.h:68 [inline]\n _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\n is_event_supported drivers/input/input.c:67 [inline]\n input_event+0x42/0xa0 drivers/input/input.c:395\n input_report_key include/linux/input.h:439 [inline]\n key_down drivers/hid/hid-appleir.c:159 [inline]\n appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232\n __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111\n hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484\n __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650\n usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734\n dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993\n __run_hrtimer kernel/time/hrtimer.c:1739 [inline]\n __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803\n hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820\n handle_softirqs+0x206/0x8d0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049\n </IRQ>\n <TASK>\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\n __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185\n add_timer+0x62/0x90 kernel/time/timer.c:1295\n schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98\n usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645\n usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784\n hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nThis happens due to the malformed report items sent by the emulated device\nwhich results in a report, that has no fields, being added to the report list.\nDue to this appleir_input_configured() is never called, hidinput_connect()\nfails which results in the HID_CLAIMED_INPUT flag is not being set. However,\nit  does not make appleir_probe() fail and lets the event callback to be\ncalled without the associated input device.\n\nThus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook\nearly if the driver didn't claim any input_dev for some reason. Moreover,\nsome other hid drivers accessing input_dev in their event callbacks do have\nsimilar checks, too.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/hid/hid-appleir.c"],"versions":[{"version":"9a4a5574ce427c364d81746fc7fb82d86b5f1a7e","lessThan":"6db423b00940b05df2a1265d3c7eabafe9f1734c","status":"affected","versionType":"git"},{"version":"9a4a5574ce427c364d81746fc7fb82d86b5f1a7e","lessThan":"0df1ac8ee417ad76760ff076faa4518a4d861894","status":"affected","versionType":"git"},{"version":"9a4a5574ce427c364d81746fc7fb82d86b5f1a7e","lessThan":"b1d95d733cd6e74f595653daddcfc357bea461e8","status":"affected","versionType":"git"},{"version":"9a4a5574ce427c364d81746fc7fb82d86b5f1a7e","lessThan":"8d39eb8c5e14f2f0f441eed832ef8a7b654e6fee","status":"affected","versionType":"git"},{"version":"9a4a5574ce427c364d81746fc7fb82d86b5f1a7e","lessThan":"fc69e2c3219d433caabba4b5d6371ba726a4b37f","status":"affected","versionType":"git"},{"version":"9a4a5574ce427c364d81746fc7fb82d86b5f1a7e","lessThan":"d335fce8b88b2353f4bb20c631698e20384e3610","status":"affected","versionType":"git"},{"version":"9a4a5574ce427c364d81746fc7fb82d86b5f1a7e","lessThan":"68cdf6710f228dfd74f66ec61fbe636da2646a73","status":"affected","versionType":"git"},{"version":"9a4a5574ce427c364d81746fc7fb82d86b5f1a7e","lessThan":"2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/hid/hid-appleir.c"],"versions":[{"version":"3.10","status":"affected"},{"version":"0","lessThan":"3.10","status":"unaffected","versionType":"semver"},{"version":"5.4.291","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.235","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.179","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.131","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.83","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.19","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.7","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.4.291"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.10.235"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.15.179"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.1.131"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.6.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.12.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.13.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6db423b00940b05df2a1265d3c7eabafe9f1734c"},{"url":"https://git.kernel.org/stable/c/0df1ac8ee417ad76760ff076faa4518a4d861894"},{"url":"https://git.kernel.org/stable/c/b1d95d733cd6e74f595653daddcfc357bea461e8"},{"url":"https://git.kernel.org/stable/c/8d39eb8c5e14f2f0f441eed832ef8a7b654e6fee"},{"url":"https://git.kernel.org/stable/c/fc69e2c3219d433caabba4b5d6371ba726a4b37f"},{"url":"https://git.kernel.org/stable/c/d335fce8b88b2353f4bb20c631698e20384e3610"},{"url":"https://git.kernel.org/stable/c/68cdf6710f228dfd74f66ec61fbe636da2646a73"},{"url":"https://git.kernel.org/stable/c/2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1"}],"title":"HID: appleir: Fix potential NULL dereference at raw event handle","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-476","lang":"en","description":"CWE-476 NULL Pointer Dereference"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-10-01T17:17:14.096468Z","id":"CVE-2025-21948","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T17:17:18.360Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:39:50.130Z"}}]}}