CVE-2025-38540: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38540 is a vulnerability in the Linux kernel related to Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C). The vulnerability was discovered and disclosed on August 16, 2025. The issue affects Linux kernel systems where these specific camera models report a HID sensor interface that is not actually implemented (NVD).

The vulnerability occurs when the cameras report a HID sensor interface that is not actually implemented. When attempting to access this non-functional sensor via iio_info, the system hangs as runtime PM tries to wake up an unresponsive sensor. The issue has been assigned a CVSS v3.1 base score of 5.5 (Moderate) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

When exploited, this vulnerability can cause system hangs due to runtime PM attempting to wake up an unresponsive sensor. This primarily affects system availability, with no direct impact on confidentiality or integrity (Red Hat).

The vulnerability has been addressed by adding these two devices to the HID ignore list since the sensor interface is non-functional by design and should not be exposed to userspace. Fixed versions are available in Linux kernel 6.12.41-1 for Debian trixie and 6.16.3-1 for Debian forky/sid (Debian).