Wrote a trigger for CVE-2025-38494/5 (an integer underflow in the HID subsystem) that leaks 64 KB of OOB memory over USB.
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
https://github.com/xairy/kernel-exploits/tree/master/CVE-2025-38494
"Wrote" is a strong word for this, I just cleaned up the reproducer from this syzbot report:
https://syzkaller.appspot.com/bug?extid=fbe9fff1374eefadffb9
The report has been public on the dashboard for over 2 months now. And there's plenty of other USB bugs that are still not fixed.
I also suspect that the CVE-2025-38494/5 fix is what actually fixes CVE-2024-50302.
Assuming the used chain was portable enough to also cover devices with CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, replacing kmalloc with kzalloc possibly did nothing.
Reaching code for CVE-2024-50302 (infoleak via Anton Touchpad) seems to require a bit more descriptions work: hid-multitouch.c is barely covered by syzbot. But the bug type is discoverable via KMSAN: it reports infoleaks over USB as kernel-usb-infoleak. https://storage.googleapis.com/syzbot-assets/7efefb59364f/ci2-upstream-usb-c749f058.html#drivers%2fhid%2fhid-multitouch.c
Andrey Konovalov
Zhuowei Zhang