{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T03:10:26.224","vulnerabilities":[{"cve":{"id":"CVE-2025-38557","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-08-19T17:15:31.960","lastModified":"2025-11-28T14:41:59.877","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: apple: validate feature-report field count to prevent NULL pointer dereference\n\nA malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL\npointer dereference whilst the power feature-report is toggled and sent to\nthe device in apple_magic_backlight_report_set(). The power feature-report\nis expected to have two data fields, but if the descriptor declares one\nfield then accessing field[1] and dereferencing it in\napple_magic_backlight_report_set() becomes invalid\nsince field[1] will be NULL.\n\nAn example of a minimal descriptor which can cause the crash is something\nlike the following where the report with ID 3 (power report) only\nreferences a single 1-byte field. When hid core parses the descriptor it\nwill encounter the final feature tag, allocate a hid_report (all members\nof field[] will be zeroed out), create field structure and populate it,\nincreasing the maxfield to 1. The subsequent field[1] access and\ndereference causes the crash.\n\n Usage Page (Vendor Defined 0xFF00)\n Usage (0x0F)\n Collection (Application)\n Report ID (1)\n Usage (0x01)\n Logical Minimum (0)\n Logical Maximum (255)\n Report Size (8)\n Report Count (1)\n Feature (Data,Var,Abs)\n\n Usage (0x02)\n Logical Maximum (32767)\n Report Size (16)\n Report Count (1)\n Feature (Data,Var,Abs)\n\n Report ID (3)\n Usage (0x03)\n Logical Minimum (0)\n Logical Maximum (1)\n Report Size (8)\n Report Count (1)\n Feature (Data,Var,Abs)\n End Collection\n\nHere we see the KASAN splat when the kernel dereferences the\nNULL pointer and crashes:\n\n [ 15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI\n [ 15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary)\n [ 15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210\n [ 15.165691] Call Trace:\n [ 15.165691] \n [ 15.165691] apple_probe+0x571/0xa20\n [ 15.165691] hid_device_probe+0x2e2/0x6f0\n [ 15.165691] really_probe+0x1ca/0x5c0\n [ 15.165691] __driver_probe_device+0x24f/0x310\n [ 15.165691] driver_probe_device+0x4a/0xd0\n [ 15.165691] __device_attach_driver+0x169/0x220\n [ 15.165691] bus_for_each_drv+0x118/0x1b0\n [ 15.165691] __device_attach+0x1d5/0x380\n [ 15.165691] device_initial_probe+0x12/0x20\n [ 15.165691] bus_probe_device+0x13d/0x180\n [ 15.165691] device_add+0xd87/0x1510\n [...]\n\nTo fix this issue we should validate the number of fields that the\nbacklight and power reports have and if they do not have the required\nnumber of fields then bail."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: apple: validar el recuento de campos del informe de características para evitar la desreferencia de puntero NULL. Un dispositivo HID malicioso con la peculiaridad APPLE_MAGIC_BACKLIGHT puede activar una desreferencia de puntero NULL mientras el informe de características de potencia se conmuta y se envía al dispositivo en apple_magic_backlight_report_set(). Se espera que el informe de características de potencia tenga dos campos de datos, pero si el descriptor declara un campo, entonces acceder a field[1] y desreferenciarlo en apple_magic_backlight_report_set() se vuelve inválido ya que field[1] será NULL. Un ejemplo de un descriptor mínimo que puede causar el bloqueo es algo como lo siguiente, donde el informe con ID 3 (informe de potencia) solo hace referencia a un único campo de 1 byte. Cuando el núcleo hid analiza el descriptor, encontrará la etiqueta de característica final, asignará un hid_report (todos los miembros de field[] se pondrán a cero), creará una estructura de campo y la completará, aumentando el maxfield a 1. El acceso y la desreferencia a field[1] posteriores provocan el bloqueo. Página de uso (definida por el proveedor 0xFF00) Uso (0x0F) Recopilación (aplicación) ID de informe (1) Uso (0x01) Mínimo lógico (0) Máximo lógico (255) Tamaño de informe (8) Cantidad de informes (1) Característica (datos, variables, abs) Uso (0x02) Máximo lógico (32767) Tamaño de informe (16) Cantidad de informes (1) Característica (datos, variables, abs) ID de informe (3) Uso (0x03) Mínimo lógico (0) Máximo lógico (1) Tamaño de informe (8) Cantidad de informes (1) Característica (datos, variables, abs) Fin de recopilación Aquí vemos el splat de KASAN cuando el núcleo desreferencia el puntero NULL y se bloquea: [ 15.164723] Ups: fallo de protección general, probablemente para la dirección no canónica 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI [ 15.165691] KASAN: null-ptr-deref en el rango [0x0000000000000030-0x0000000000000037] [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 No contaminado 6.15.0 #31 PREEMPT(voluntario) [ 15.165691] Nombre del hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 01/04/2014 [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210 [ 15.165691] Rastreo de llamadas: [ 15.165691] [ 15.165691] apple_probe+0x571/0xa20 [ 15.165691] hid_device_probe+0x2e2/0x6f0 [ 15.165691] really_probe+0x1ca/0x5c0 [ 15.165691] __driver_probe_device+0x24f/0x310 [ 15.165691] driver_probe_device+0x4a/0xd0 [ 15.165691] __device_attach_driver+0x169/0x220 [ 15.165691] bus_for_each_drv+0x118/0x1b0 [ 15.165691] __device_attach+0x1d5/0x380 [ 15.165691] device_initial_probe+0x12/0x20 [ 15.165691] bus_probe_device+0x13d/0x180 [ 15.165691] device_add+0xd87/0x1510 [...] Para solucionar este problema debemos validar el número de campos que tienen los reportes de retroiluminación y energía y si no tienen el número de campos requerido entonces abandonar."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.12.42","matchCriteriaId":"F8763925-0DBB-4581-B7CC-71A26867D63E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.10","matchCriteriaId":"5890C690-B295-40C2-9121-FF5F987E5142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.16.1","matchCriteriaId":"58182352-D7DF-4CC9-841E-03C1D852C3FB"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/00896c3f41cb6b74fec853386076115ba50baf0a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1bb3363da862e0464ec050eea2fb5472a36ad86b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7e15d1eaa88179c5185e57a38ab05fe852d0cb8d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ba08cc6801ec5fb98f2d02b5f0c614c931845325","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}