CVE-2025-38103

Name: CVE-2025-38103
Creator: NVD / NIST
Published: 2025-07-03T09:15:23.847+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.1/10EPSS 0.18%

Last modified Jun 17, 2026

CVE-2025-38103 is a high-severity vulnerability rated 7.1/10 on the CVSS scale. In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are valid. Replace the for loop with direct access to the mandatory HID class descriptor member for the report descriptor. This eliminates the possibility of getting an out-of-bounds fault. Add a warning message if the HID descriptor contains any unsupported optional HID class descriptors.. EPSS estimates a 0.18% chance of exploitation in the next 30 days.

Description

In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are valid. Replace the for loop with direct access to the mandatory HID class descriptor member for the report descriptor. This eliminates the possibility of getting an out-of-bounds fault. Add a warning message if the HID descriptor contains any unsupported optional HID class descriptors.

Metrics

CVSS 3.1

7.1/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS Probability

0.18%

7.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-125

Affected Software

Vendor	Product	Versions
Linux	Linux Kernel	>= 3.2.95, < 3.3
Linux	Linux Kernel	>= 3.16.50, < 3.17
Linux	Linux Kernel	>= 3.18.76, < 3.19
Linux	Linux Kernel	>= 4.1.46, < 4.2
Linux	Linux Kernel	>= 4.4.93, < 4.5
Linux	Linux Kernel	>= 4.9.57, < 4.10
Linux	Linux Kernel	>= 4.13.8, < 4.14
Linux	Linux Kernel	>= 4.14.1, < 5.4.295
Linux	Linux Kernel	>= 5.5, < 5.10.239
Linux	Linux Kernel	>= 5.11, < 5.15.186
Linux	Linux Kernel	>= 5.16, < 6.1.142
Linux	Linux Kernel	>= 6.2, < 6.6.94
Linux	Linux Kernel	>= 6.7, < 6.12.34
Linux	Linux Kernel	>= 6.13, < 6.15.3
Linux	Linux Kernel	4.14
Debian	Debian Linux	11.0

References

Timeline

Published: Jul 3, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-38103?

How severe is CVE-2025-38103?

CVE-2025-38103 has a CVSS score of 7.1/10 (HIGH severity). The EPSS model estimates a 0.18% probability of exploitation in the next 30 days.

How do I fix CVE-2025-38103?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-38103?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST