FKIE_CVE-2025-68822

Vulnerability from fkie_nvd - Published: 2026-01-13 16:16 - Updated: 2026-04-15 00:35
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3_register_work The dev3_register_work delayed work item is initialized within alps_reconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad. During device detachment, the original implementation calls flush_workqueue() in psmouse_disconnect() to ensure completion of dev3_register_work. However, the flush_workqueue() in psmouse_disconnect() only blocks and waits for work items that were already queued to the workqueue prior to its invocation. Any work items submitted after flush_workqueue() is called are not included in the set of tasks that the flush operation awaits. This means that after flush_workqueue() has finished executing, the dev3_register_work could still be scheduled. Although the psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(), the scheduling of dev3_register_work remains unaffected. The race condition can occur as follows: CPU 0 (cleanup path) | CPU 1 (delayed work) psmouse_disconnect() | psmouse_set_state() | flush_workqueue() | alps_report_bare_ps2_packet() alps_disconnect() | psmouse_queue_work() kfree(priv); // FREE | alps_register_bare_ps2_mouse() | priv = container_of(work...); // USE | priv->dev3 // USE Add disable_delayed_work_sync() in alps_disconnect() to ensure that dev3_register_work is properly canceled and prevented from executing after the alps_data structure has been deallocated. This bug is identified by static analysis.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a9c115e017b2c633d25bdfe6709dda6fc36f08c2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bf40644ef8c8a288742fa45580897ed0e0289474
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ed8c61b89be0c45f029228b2913d5cf7b5cda1a7
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: alps - fix use-after-free bugs caused by dev3_register_work\n\nThe dev3_register_work delayed work item is initialized within\nalps_reconnect() and scheduled upon receipt of the first bare\nPS/2 packet from an external PS/2 device connected to the ALPS\ntouchpad. During device detachment, the original implementation\ncalls flush_workqueue() in psmouse_disconnect() to ensure\ncompletion of dev3_register_work. However, the flush_workqueue()\nin psmouse_disconnect() only blocks and waits for work items that\nwere already queued to the workqueue prior to its invocation. Any\nwork items submitted after flush_workqueue() is called are not\nincluded in the set of tasks that the flush operation awaits.\nThis means that after flush_workqueue() has finished executing,\nthe dev3_register_work could still be scheduled. Although the\npsmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),\nthe scheduling of dev3_register_work remains unaffected.\n\nThe race condition can occur as follows:\n\nCPU 0 (cleanup path)     | CPU 1 (delayed work)\npsmouse_disconnect()     |\n  psmouse_set_state()    |\n  flush_workqueue()      | alps_report_bare_ps2_packet()\n  alps_disconnect()      |   psmouse_queue_work()\n    kfree(priv); // FREE | alps_register_bare_ps2_mouse()\n                         |   priv = container_of(work...); // USE\n                         |   priv-\u003edev3 // USE\n\nAdd disable_delayed_work_sync() in alps_disconnect() to ensure\nthat dev3_register_work is properly canceled and prevented from\nexecuting after the alps_data structure has been deallocated.\n\nThis bug is identified by static analysis."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nEntrada: alps - corrige errores de uso despu\u00e9s de liberaci\u00f3n causados por dev3_register_work\n\nEl elemento de trabajo retrasado dev3_register_work se inicializa dentro de alps_reconnect() y se programa al recibir el primer paquete PS/2 \u0027bare\u0027 de un dispositivo PS/2 externo conectado al touchpad ALPS. Durante la desconexi\u00f3n del dispositivo, la implementaci\u00f3n original llama a flush_workqueue() en psmouse_disconnect() para asegurar la finalizaci\u00f3n de dev3_register_work. Sin embargo, la flush_workqueue() en psmouse_disconnect() solo bloquea y espera por elementos de trabajo que ya estaban en cola en la workqueue antes de su invocaci\u00f3n. Cualquier elemento de trabajo enviado despu\u00e9s de que se llama a flush_workqueue() no se incluye en el conjunto de tareas que la operaci\u00f3n de \u0027flush\u0027 espera. Esto significa que despu\u00e9s de que flush_workqueue() ha terminado de ejecutarse, el dev3_register_work a\u00fan podr\u00eda programarse. Aunque el estado de psmouse se establece en PSMOUSE_CMD_MODE en psmouse_disconnect(), la programaci\u00f3n de dev3_register_work permanece inalterada.\n\nLa condici\u00f3n de carrera puede ocurrir de la siguiente manera:\n\nCPU 0 (ruta de limpieza) | CPU 1 (trabajo retrasado)\npsmouse_disconnect() |\n  psmouse_set_state() |\n  flush_workqueue() | alps_report_bare_ps2_packet()\n  alps_disconnect() |   psmouse_queue_work()\n    kfree(priv); // LIBERAR | alps_register_bare_ps2_mouse()\n                         |   priv = container_of(work...); // USAR\n                         |   priv-\u0026gt;dev3 // USAR\n\nA\u00f1adir disable_delayed_work_sync() en alps_disconnect() para asegurar que dev3_register_work se cancele correctamente y se impida su ejecuci\u00f3n despu\u00e9s de que la estructura alps_data haya sido desasignada.\n\nEste error es identificado por an\u00e1lisis est\u00e1tico."
    }
  ],
  "id": "CVE-2025-68822",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {},
  "published": "2026-01-13T16:16:04.550",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a9c115e017b2c633d25bdfe6709dda6fc36f08c2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/bf40644ef8c8a288742fa45580897ed0e0289474"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ed8c61b89be0c45f029228b2913d5cf7b5cda1a7"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Deferred"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.