Description

In the Linux kernel, the following vulnerability has been resolved:

tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT

This requirement was overeagerly loosened in commit 2f83e38a095f
("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN"), but as
it turns out,

(1) the logic I implemented there was inconsistent (apologies!),

(2) TIOCL_SELMOUSEREPORT might actually be a small security risk
after all, and

(3) TIOCL_SELMOUSEREPORT is only meant to be used by the mouse
daemon (GPM or Consolation), which runs as CAP_SYS_ADMIN
already.

In more detail:

1. The previous patch has inconsistent logic:

In commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes
without CAP_SYS_ADMIN"), we checked for sel_mode ==
TIOCL_SELMOUSEREPORT, but overlooked that the lower four bits of
this "mode" parameter were actually used as an additional way to
pass an argument. So the patch did actually still require
CAP_SYS_ADMIN, if any of the mouse button bits are set, but did not
require it if none of the mouse buttons bits are set.

This logic is inconsistent and was not intentional. We should have
the same policies for using TIOCL_SELMOUSEREPORT independent of the
value of the "hidden" mouse button argument.

I sent a separate documentation patch to the man page list with
more details on TIOCL_SELMOUSEREPORT:
https://lore.kernel.org/all/[email protected]/

2. TIOCL_SELMOUSEREPORT ...

Classification

CVE ID: CVE-2025-37814

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 4.25% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-37814
https://git.kernel.org/stable/c/6f021bc0083b96125fdbed6a60d7b4396c4d6dac
https://git.kernel.org/stable/c/9b50c9c97db953de756a39af83d4be4d7f618aa6
https://git.kernel.org/stable/c/ee6a44da3c87cf64d67dd02be8c0127a5bf56175

Timeline