CVE-2026-46202 (GCVE-0-2026-46202)

Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
HID: appletb-kbd: run inactivity autodim from workqueues
Summary
In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: run inactivity autodim from workqueues The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts: * appletb_inactivity_timer() is a struct timer_list callback, so it runs in softirq context. Every expiry triggers BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591 Call Trace: <IRQ> __might_resched __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq * reset_inactivity_timer() is called from appletb_kbd_hid_event() and appletb_kbd_inp_event(). On real USB hardware these run in softirq/IRQ context (URB completion and input-event dispatch). When the Touch Bar has already been dimmed or turned off, the reset path calls backlight_device_set_brightness() directly to restore brightness, producing the same warning. Both call sites hit the same mutex_lock()-from-atomic bug. Fix them together by moving the blocking work onto the system workqueue: * Convert the inactivity timer from struct timer_list to struct delayed_work; the callback (appletb_inactivity_work) now runs in process context where mutex_lock() is legal. * Add a dedicated struct work_struct restore_brightness_work and have reset_inactivity_timer() schedule it instead of calling backlight_device_set_brightness() directly. Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop. The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes. The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as "reset the inactivity timer".
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 93a0fc48948107e0cc34e1de22c3cb363a8f2783 , < 5c0830323689ef15224f0025276176988861b3b0 (git)
Affected: 93a0fc48948107e0cc34e1de22c3cb363a8f2783 , < 2473a334c292af257ef68e33bc7760f4a8251812 (git)
Affected: 93a0fc48948107e0cc34e1de22c3cb363a8f2783 , < 1654e53349d4e657b331de354313461f401f5063 (git)
Create a notification for this product.
Linux Linux Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 6.18.32 , ≤ 6.18.* (semver)
Unaffected: 7.0.9 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-appletb-kbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5c0830323689ef15224f0025276176988861b3b0",
              "status": "affected",
              "version": "93a0fc48948107e0cc34e1de22c3cb363a8f2783",
              "versionType": "git"
            },
            {
              "lessThan": "2473a334c292af257ef68e33bc7760f4a8251812",
              "status": "affected",
              "version": "93a0fc48948107e0cc34e1de22c3cb363a8f2783",
              "versionType": "git"
            },
            {
              "lessThan": "1654e53349d4e657b331de354313461f401f5063",
              "status": "affected",
              "version": "93a0fc48948107e0cc34e1de22c3cb363a8f2783",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-appletb-kbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc4",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appletb-kbd: run inactivity autodim from workqueues\n\nThe autodim code in hid-appletb-kbd takes backlight_device-\u003eops_lock\nvia backlight_device_set_brightness() -\u003e mutex_lock() from two\ndifferent atomic contexts:\n\n * appletb_inactivity_timer() is a struct timer_list callback, so it\n   runs in softirq context.  Every expiry triggers\n\n     BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591\n     Call Trace:\n      \u003cIRQ\u003e\n      __might_resched\n      __mutex_lock\n      backlight_device_set_brightness\n      appletb_inactivity_timer\n      call_timer_fn\n      run_timer_softirq\n\n * reset_inactivity_timer() is called from appletb_kbd_hid_event() and\n   appletb_kbd_inp_event().  On real USB hardware these run in\n   softirq/IRQ context (URB completion and input-event dispatch).\n   When the Touch Bar has already been dimmed or turned off, the\n   reset path calls backlight_device_set_brightness() directly to\n   restore brightness, producing the same warning.\n\nBoth call sites hit the same mutex_lock()-from-atomic bug.  Fix them\ntogether by moving the blocking work onto the system workqueue:\n\n * Convert the inactivity timer from struct timer_list to\n   struct delayed_work; the callback (appletb_inactivity_work) now\n   runs in process context where mutex_lock() is legal.\n * Add a dedicated struct work_struct restore_brightness_work and have\n   reset_inactivity_timer() schedule it instead of calling\n   backlight_device_set_brightness() directly.\n\nCancel both works synchronously during driver tear-down alongside the\nexisting backlight reference drop.\n\nThe semantics are unchanged (same delays, same state transitions on\ndim, turn-off and user activity); only the execution context of the\nsleeping call changes.  The timer field and callback are renamed to\nmatch their new type; reset_inactivity_timer() keeps its name because\nit is invoked from input event paths that read naturally as \"reset\nthe inactivity timer\"."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T09:40:18.687Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5c0830323689ef15224f0025276176988861b3b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/2473a334c292af257ef68e33bc7760f4a8251812"
        },
        {
          "url": "https://git.kernel.org/stable/c/1654e53349d4e657b331de354313461f401f5063"
        }
      ],
      "title": "HID: appletb-kbd: run inactivity autodim from workqueues",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46202",
    "datePublished": "2026-05-28T09:40:18.687Z",
    "dateReserved": "2026-05-13T15:03:33.104Z",
    "dateUpdated": "2026-05-28T09:40:18.687Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46202",
      "date": "2026-05-29",
      "epss": "0.00017",
      "percentile": "0.04472"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46202\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-28T10:16:35.860\",\"lastModified\":\"2026-05-28T13:44:01.663\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: appletb-kbd: run inactivity autodim from workqueues\\n\\nThe autodim code in hid-appletb-kbd takes backlight_device-\u003eops_lock\\nvia backlight_device_set_brightness() -\u003e mutex_lock() from two\\ndifferent atomic contexts:\\n\\n * appletb_inactivity_timer() is a struct timer_list callback, so it\\n   runs in softirq context.  Every expiry triggers\\n\\n     BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591\\n     Call Trace:\\n      \u003cIRQ\u003e\\n      __might_resched\\n      __mutex_lock\\n      backlight_device_set_brightness\\n      appletb_inactivity_timer\\n      call_timer_fn\\n      run_timer_softirq\\n\\n * reset_inactivity_timer() is called from appletb_kbd_hid_event() and\\n   appletb_kbd_inp_event().  On real USB hardware these run in\\n   softirq/IRQ context (URB completion and input-event dispatch).\\n   When the Touch Bar has already been dimmed or turned off, the\\n   reset path calls backlight_device_set_brightness() directly to\\n   restore brightness, producing the same warning.\\n\\nBoth call sites hit the same mutex_lock()-from-atomic bug.  Fix them\\ntogether by moving the blocking work onto the system workqueue:\\n\\n * Convert the inactivity timer from struct timer_list to\\n   struct delayed_work; the callback (appletb_inactivity_work) now\\n   runs in process context where mutex_lock() is legal.\\n * Add a dedicated struct work_struct restore_brightness_work and have\\n   reset_inactivity_timer() schedule it instead of calling\\n   backlight_device_set_brightness() directly.\\n\\nCancel both works synchronously during driver tear-down alongside the\\nexisting backlight reference drop.\\n\\nThe semantics are unchanged (same delays, same state transitions on\\ndim, turn-off and user activity); only the execution context of the\\nsleeping call changes.  The timer field and callback are renamed to\\nmatch their new type; reset_inactivity_timer() keeps its name because\\nit is invoked from input event paths that read naturally as \\\"reset\\nthe inactivity timer\\\".\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1654e53349d4e657b331de354313461f401f5063\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2473a334c292af257ef68e33bc7760f4a8251812\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5c0830323689ef15224f0025276176988861b3b0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.