CVE-2025-21794 – A stack-out-of-bounds read vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2025-21794?

CVE-2025-21794 has a CVSS score of 7.1 (HIGH). A stack-out-of-bounds read vulnerability in the Linux kernel's hid-thrustmaster driver allows reading beyond allocated memory boundaries. This affects Linux systems using Thrustmaster USB HID devices and can lead to kernel crashes or potential information disclosure.

📋 TL;DR

A stack-out-of-bounds read vulnerability in the Linux kernel's hid-thrustmaster driver allows reading beyond allocated memory boundaries. This affects Linux systems using Thrustmaster USB HID devices and can lead to kernel crashes or potential information disclosure.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions with the vulnerable hid-thrustmaster driver code before the fix commits

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when the hid-thrustmaster driver is loaded (typically when Thrustmaster USB devices are connected).

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, potential information disclosure from kernel memory, or local privilege escalation if combined with other vulnerabilities.

🟠

Likely Case

System crash or instability when using Thrustmaster USB devices, requiring reboot to restore functionality.

🟢

If Mitigated

No impact if Thrustmaster USB devices are not used or if the vulnerable driver is not loaded.

🌐 Internet-Facing: LOW - This is a local driver vulnerability requiring physical or local USB device access.

🏢 Internal Only: MEDIUM - Internal users with physical access to Thrustmaster USB devices could trigger crashes on vulnerable systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires physical access to connect a Thrustmaster USB device or ability to trigger the driver through other means. The vulnerability was discovered through fuzzing (syzbot).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing the fix commits referenced in the CVE

Vendor Advisory: https://git.kernel.org/stable/c/0b43d98ff29be3144e86294486b1373b5df74c0e

Restart Required: No

Instructions:

1. Update Linux kernel to a version containing the fix commits. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel packages. 3. Reboot to load the new kernel if not using kexec or livepatch capabilities.

🔧 Temporary Workarounds

Disable hid-thrustmaster driver

Linux

Prevent loading of the vulnerable driver module

echo 'blacklist hid-thrustmaster' >> /etc/modprobe.d/blacklist.conf
rmmod hid-thrustmaster

Restrict USB device access

Linux

Prevent unauthorized Thrustmaster USB devices from being connected

Use udev rules to block Thrustmaster vendor/product IDs

🧯 If You Can't Patch

Disconnect all Thrustmaster USB devices from vulnerable systems
Implement strict physical access controls to prevent unauthorized USB device connections

🔍 How to Verify

Check if Vulnerable:

Check if hid-thrustmaster driver is loaded: lsmod | grep hid_thrustmaster. If loaded and kernel version is before fix commits, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Check kernel version is after fix commits and verify hid-thrustmaster driver functions normally with Thrustmaster devices.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
Oops messages in dmesg or /var/log/kern.log
USB device connection errors for Thrustmaster devices

Network Indicators:

None - this is a local driver vulnerability

SIEM Query:

Search for kernel panic or Oops messages containing 'hid-thrustmaster', 'usb_check_int_endpoints', or stack trace references

📊 Metadata

CVE ID: CVE-2025-21794

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

EPSS Score: 0.04% exploit probability (10.3th percentile)

Published: February 27, 2025

Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21794, you might also want to check these: