CVE-2025-32776
📋 TL;DR
OpenRazer versions before 3.10.2 contain an out-of-bounds read vulnerability in the custom kernel driver. An attacker with local access can write specially crafted data to the matrix_custom_frame file, causing the driver to read beyond provided user-space data and potentially send malformed RGB data to USB devices. This affects GNU/Linux systems using OpenRazer to control Razer peripherals.
💻 Affected Systems
- OpenRazer
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious RGB data could be sent to USB devices, potentially causing device malfunction, firmware corruption, or triggering other USB-related vulnerabilities in connected Razer hardware.
Likely Case
Local privilege escalation or denial of service by crashing the kernel driver, potentially leading to system instability or requiring reboot.
If Mitigated
Limited impact with proper access controls restricting write access to matrix_custom_frame to trusted users only.
🎯 Exploit Status
Exploitation requires local access and understanding of the driver's memory layout. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.10.2
Vendor Advisory: https://github.com/openrazer/openrazer/security/advisories/GHSA-835j-6976-46jx
Restart Required: Yes
Instructions:
1. Update OpenRazer to version 3.10.2 or later via package manager. 2. Restart the openrazer-daemon service. 3. Reboot system to ensure kernel module is reloaded.
🔧 Temporary Workarounds
Restrict file access
linuxLimit write access to matrix_custom_frame files to trusted users only
sudo chmod 600 /sys/bus/hid/drivers/razerkbd/*/matrix_custom_frame
sudo chown root:root /sys/bus/hid/drivers/razerkbd/*/matrix_custom_frame
🧯 If You Can't Patch
- Remove or restrict local user accounts to minimize attack surface
- Disable OpenRazer service if Razer device functionality is not essential
🔍 How to Verify
Check if Vulnerable:
Check OpenRazer version: dpkg -l openrazer-meta or check if /sys/bus/hid/drivers/razerkbd exists and version < 3.10.2Check Version:
dpkg -l openrazer-meta | grep ^ii || openrazer-daemon --version 2>/dev/null || echo 'OpenRazer not installed'Verify Fix Applied:
Verify version is 3.10.2 or higher: openrazer-daemon --version📡 Detection & Monitoring
Log Indicators:
- Kernel logs showing razerkbd module crashes or errors
- System logs showing unauthorized access attempts to /sys/bus/hid/drivers/razerkbd/
Network Indicators:
- Unusual USB traffic patterns from system to Razer devices
SIEM Query:
source="kernel" AND "razerkbd" AND ("panic" OR "oops" OR "segfault")🔗 References
- https://github.com/openrazer/openrazer/commit/57610511d2548eda66999eaed5aa4517e89d6d39
- https://github.com/openrazer/openrazer/commit/d869abd20995b4931795e1cde54d4ac84d9ca62f
- https://github.com/openrazer/openrazer/issues/2433
- https://github.com/openrazer/openrazer/security/advisories/GHSA-835j-6976-46jx
- https://lists.debian.org/debian-lts-announce/2025/04/msg00032.html
