CVE-2025-39824: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2025-39824) was discovered in the Linux kernel's HID ASUS driver. The vulnerability was disclosed on September 16, 2025, affecting the input device handling functionality in the Linux kernel (NVD).

The vulnerability occurs during the HID device initialization process. After hid_hw_start() is called, hidinput_connect() processes input and output reports to configure HID inputs. The issue arises when capability bitmaps are not set, causing hidinput_has_been_populated() to fail, which leads to freeing of the hid_input and underlying input device. A malicious HID device, such as an ASUS ROG N-Key keyboard, can exploit this through a specially crafted descriptor using HID_UP_UNDEFINED Usage Page, resulting in a use-after-free condition when the freed input device name is accessed (NVD).

The vulnerability affects the Linux kernel's input device handling system, particularly impacting ASUS HID devices. The issue has been included in multiple security updates for various Linux distributions, including Debian's oldstable (bookworm) distribution version 6.1.153-1 (Debian Security).

The vulnerability has been fixed in the Linux kernel. Users are recommended to upgrade their systems to the patched versions. For Debian's oldstable (bookworm) distribution, the fix is available in version 6.1.153-1 (Debian Security).