CVE-2025-38394
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's HID appletb-kbd driver. When a probe failure occurs after registering an input handler, the handler memory is freed but remains in a global list, causing memory corruption when other input devices are connected. This affects Linux systems using the vulnerable driver.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic, system crash, or potential privilege escalation leading to full system compromise through memory corruption.
Likely Case
System instability, crashes, or denial of service when connecting input devices after a driver probe failure.
If Mitigated
Minor system instability that may require reboot if the vulnerable driver is loaded but not actively used.
🎯 Exploit Status
Exploitation requires triggering a probe failure after input handler registration and then connecting another input device. This is a race condition that may be difficult to reliably trigger.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commits 6ad40b07e15c29712d9a4b8096914ccd82e3fc17 and c80f2b047d5cc42fbd2dff9d1942d4ba7545100f applied
Vendor Advisory: https://git.kernel.org/stable/c/6ad40b07e15c29712d9a4b8096914ccd82e3fc17
Restart Required: Yes
Instructions:
1. Update Linux kernel to a version containing the fix commits. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable appletb-kbd driver
linuxPrevent loading of the vulnerable driver module
echo 'blacklist appletb_kbd' >> /etc/modprobe.d/blacklist.conf
rmmod appletb_kbd
Restrict USB device connections
linuxPrevent triggering the vulnerability by restricting USB input device connections
# Configure USB device authorization policies
# Use udev rules to block specific device types
🧯 If You Can't Patch
- Monitor system logs for KASAN reports or kernel panics related to input_attach_handler
- Restrict physical access to USB ports and implement USB device control policies
🔍 How to Verify
Check if Vulnerable:
Check if appletb_kbd module is loaded: lsmod | grep appletb_kbd. Check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits: grep -r '6ad40b07e15c29712d9a4b8096914ccd82e3fc17\|c80f2b047d5cc42fbd2dff9d1942d4ba7545100f' /boot/config-*📡 Detection & Monitoring
Log Indicators:
- KASAN: slab-use-after-free in input_attach_handler
- kernel panic messages
- input core error messages
Network Indicators:
- None - this is a local kernel vulnerability
SIEM Query:
source="kernel" AND ("KASAN: slab-use-after-free" OR "input_attach_handler" OR "appletb_kbd")