CVE-2025-68323 (GCVE-0-2025-68323)
Vulnerability from cvelistv5
Published
2025-12-18 15:02
Modified
2025-12-18 15:02
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: fix use-after-free caused by uec->work The delayed work uec->work is scheduled in gaokun_ucsi_probe() but never properly canceled in gaokun_ucsi_remove(). This creates use-after-free scenarios where the ucsi and gaokun_ucsi structure are freed after ucsi_destroy() completes execution, while the gaokun_ucsi_register_worker() might be either currently executing or still pending in the work queue. The already-freed gaokun_ucsi or ucsi structure may then be accessed. Furthermore, the race window is 3 seconds, which is sufficiently long to make this bug easily reproducible. The following is the trace captured by KASAN: ================================================================== BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630 Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0 ... Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0x78/0x90 print_report+0x114/0x580 kasan_report+0xa4/0xf0 __asan_report_store8_noabort+0x20/0x2c __run_timers+0x5ec/0x630 run_timer_softirq+0xe8/0x1cc handle_softirqs+0x294/0x720 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x1c call_on_irq_stack+0x30/0x48 do_softirq_own_stack+0x1c/0x28 __irq_exit_rcu+0x27c/0x364 irq_exit_rcu+0x10/0x1c el1_interrupt+0x40/0x60 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 arch_local_irq_enable+0x4/0x8 (P) do_idle+0x334/0x458 cpu_startup_entry+0x60/0x70 rest_init+0x158/0x174 start_kernel+0x2f8/0x394 __primary_switched+0x8c/0x94 Allocated by task 72 on cpu 0 at 27.510341s: kasan_save_stack+0x2c/0x54 kasan_save_track+0x24/0x5c kasan_save_alloc_info+0x40/0x54 __kasan_kmalloc+0xa0/0xb8 __kmalloc_node_track_caller_noprof+0x1c0/0x588 devm_kmalloc+0x7c/0x1c8 gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8 really_probe+0x17c/0x5b8 __driver_probe_device+0x158/0x2c4 driver_probe_device+0x10c/0x264 __device_attach_driver+0x168/0x2d0 bus_for_each_drv+0x100/0x188 __device_attach+0x174/0x368 device_initial_probe+0x14/0x20 bus_probe_device+0x120/0x150 device_add+0xb3c/0x10fc __auxiliary_device_add+0x88/0x130 ... Freed by task 73 on cpu 1 at 28.910627s: kasan_save_stack+0x2c/0x54 kasan_save_track+0x24/0x5c __kasan_save_free_info+0x4c/0x74 __kasan_slab_free+0x60/0x8c kfree+0xd4/0x410 devres_release_all+0x140/0x1f0 device_unbind_cleanup+0x20/0x190 device_release_driver_internal+0x344/0x460 device_release_driver+0x18/0x24 bus_remove_device+0x198/0x274 device_del+0x310/0xa84 ... The buggy address belongs to the object at ffff00000ec28c00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 200 bytes inside of freed 512-byte region The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) page_type: f5(slab) raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================ ---truncated---
References
Impacted products
Vendor Product Version
Linux Linux Version: 00327d7f2c8c512c9b168daae02c8b989f79ec71
Version: 00327d7f2c8c512c9b168daae02c8b989f79ec71
Version: 00327d7f2c8c512c9b168daae02c8b989f79ec71
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d8ac85c76a4279979b917d4b2f9c6b07d9783003",
              "status": "affected",
              "version": "00327d7f2c8c512c9b168daae02c8b989f79ec71",
              "versionType": "git"
            },
            {
              "lessThan": "a880ef71a1c8da266b88491213c37893e2126489",
              "status": "affected",
              "version": "00327d7f2c8c512c9b168daae02c8b989f79ec71",
              "versionType": "git"
            },
            {
              "lessThan": "2b7a0f47aaf2439d517ba0a6b29c66a535302154",
              "status": "affected",
              "version": "00327d7f2c8c512c9b168daae02c8b989f79ec71",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: fix use-after-free caused by uec-\u003ework\n\nThe delayed work uec-\u003ework is scheduled in gaokun_ucsi_probe()\nbut never properly canceled in gaokun_ucsi_remove(). This creates\nuse-after-free scenarios where the ucsi and gaokun_ucsi structure\nare freed after ucsi_destroy() completes execution, while the\ngaokun_ucsi_register_worker() might be either currently executing\nor still pending in the work queue. The already-freed gaokun_ucsi\nor ucsi structure may then be accessed.\n\nFurthermore, the race window is 3 seconds, which is sufficiently\nlong to make this bug easily reproducible. The following is the\ntrace captured by KASAN:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630\nWrite of size 8 at addr ffff00000ec28cc8 by task swapper/0/0\n...\nCall trace:\n show_stack+0x18/0x24 (C)\n dump_stack_lvl+0x78/0x90\n print_report+0x114/0x580\n kasan_report+0xa4/0xf0\n __asan_report_store8_noabort+0x20/0x2c\n __run_timers+0x5ec/0x630\n run_timer_softirq+0xe8/0x1cc\n handle_softirqs+0x294/0x720\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x1c\n call_on_irq_stack+0x30/0x48\n do_softirq_own_stack+0x1c/0x28\n __irq_exit_rcu+0x27c/0x364\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x40/0x60\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n arch_local_irq_enable+0x4/0x8 (P)\n do_idle+0x334/0x458\n cpu_startup_entry+0x60/0x70\n rest_init+0x158/0x174\n start_kernel+0x2f8/0x394\n __primary_switched+0x8c/0x94\n\nAllocated by task 72 on cpu 0 at 27.510341s:\n kasan_save_stack+0x2c/0x54\n kasan_save_track+0x24/0x5c\n kasan_save_alloc_info+0x40/0x54\n __kasan_kmalloc+0xa0/0xb8\n __kmalloc_node_track_caller_noprof+0x1c0/0x588\n devm_kmalloc+0x7c/0x1c8\n gaokun_ucsi_probe+0xa0/0x840  auxiliary_bus_probe+0x94/0xf8\n really_probe+0x17c/0x5b8\n __driver_probe_device+0x158/0x2c4\n driver_probe_device+0x10c/0x264\n __device_attach_driver+0x168/0x2d0\n bus_for_each_drv+0x100/0x188\n __device_attach+0x174/0x368\n device_initial_probe+0x14/0x20\n bus_probe_device+0x120/0x150\n device_add+0xb3c/0x10fc\n __auxiliary_device_add+0x88/0x130\n...\n\nFreed by task 73 on cpu 1 at 28.910627s:\n kasan_save_stack+0x2c/0x54\n kasan_save_track+0x24/0x5c\n __kasan_save_free_info+0x4c/0x74\n __kasan_slab_free+0x60/0x8c\n kfree+0xd4/0x410\n devres_release_all+0x140/0x1f0\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x344/0x460\n device_release_driver+0x18/0x24\n bus_remove_device+0x198/0x274\n device_del+0x310/0xa84\n...\n\nThe buggy address belongs to the object at ffff00000ec28c00\n which belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 200 bytes inside of\n freed 512-byte region\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28\nhead: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nflags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)\npage_type: f5(slab)\nraw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\nhead: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\nhead: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\nhead: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003effff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                              ^\n ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n================================================================\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-18T15:02:48.403Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d8ac85c76a4279979b917d4b2f9c6b07d9783003"
        },
        {
          "url": "https://git.kernel.org/stable/c/a880ef71a1c8da266b88491213c37893e2126489"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b7a0f47aaf2439d517ba0a6b29c66a535302154"
        }
      ],
      "title": "usb: typec: ucsi: fix use-after-free caused by uec-\u003ework",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68323",
    "datePublished": "2025-12-18T15:02:48.403Z",
    "dateReserved": "2025-12-16T14:48:05.296Z",
    "dateUpdated": "2025-12-18T15:02:48.403Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68323\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-18T15:16:06.103\",\"lastModified\":\"2025-12-19T18:00:54.283\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: typec: ucsi: fix use-after-free caused by uec-\u003ework\\n\\nThe delayed work uec-\u003ework is scheduled in gaokun_ucsi_probe()\\nbut never properly canceled in gaokun_ucsi_remove(). This creates\\nuse-after-free scenarios where the ucsi and gaokun_ucsi structure\\nare freed after ucsi_destroy() completes execution, while the\\ngaokun_ucsi_register_worker() might be either currently executing\\nor still pending in the work queue. The already-freed gaokun_ucsi\\nor ucsi structure may then be accessed.\\n\\nFurthermore, the race window is 3 seconds, which is sufficiently\\nlong to make this bug easily reproducible. The following is the\\ntrace captured by KASAN:\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630\\nWrite of size 8 at addr ffff00000ec28cc8 by task swapper/0/0\\n...\\nCall trace:\\n show_stack+0x18/0x24 (C)\\n dump_stack_lvl+0x78/0x90\\n print_report+0x114/0x580\\n kasan_report+0xa4/0xf0\\n __asan_report_store8_noabort+0x20/0x2c\\n __run_timers+0x5ec/0x630\\n run_timer_softirq+0xe8/0x1cc\\n handle_softirqs+0x294/0x720\\n __do_softirq+0x14/0x20\\n ____do_softirq+0x10/0x1c\\n call_on_irq_stack+0x30/0x48\\n do_softirq_own_stack+0x1c/0x28\\n __irq_exit_rcu+0x27c/0x364\\n irq_exit_rcu+0x10/0x1c\\n el1_interrupt+0x40/0x60\\n el1h_64_irq_handler+0x18/0x24\\n el1h_64_irq+0x6c/0x70\\n arch_local_irq_enable+0x4/0x8 (P)\\n do_idle+0x334/0x458\\n cpu_startup_entry+0x60/0x70\\n rest_init+0x158/0x174\\n start_kernel+0x2f8/0x394\\n __primary_switched+0x8c/0x94\\n\\nAllocated by task 72 on cpu 0 at 27.510341s:\\n kasan_save_stack+0x2c/0x54\\n kasan_save_track+0x24/0x5c\\n kasan_save_alloc_info+0x40/0x54\\n __kasan_kmalloc+0xa0/0xb8\\n __kmalloc_node_track_caller_noprof+0x1c0/0x588\\n devm_kmalloc+0x7c/0x1c8\\n gaokun_ucsi_probe+0xa0/0x840  auxiliary_bus_probe+0x94/0xf8\\n really_probe+0x17c/0x5b8\\n __driver_probe_device+0x158/0x2c4\\n driver_probe_device+0x10c/0x264\\n __device_attach_driver+0x168/0x2d0\\n bus_for_each_drv+0x100/0x188\\n __device_attach+0x174/0x368\\n device_initial_probe+0x14/0x20\\n bus_probe_device+0x120/0x150\\n device_add+0xb3c/0x10fc\\n __auxiliary_device_add+0x88/0x130\\n...\\n\\nFreed by task 73 on cpu 1 at 28.910627s:\\n kasan_save_stack+0x2c/0x54\\n kasan_save_track+0x24/0x5c\\n __kasan_save_free_info+0x4c/0x74\\n __kasan_slab_free+0x60/0x8c\\n kfree+0xd4/0x410\\n devres_release_all+0x140/0x1f0\\n device_unbind_cleanup+0x20/0x190\\n device_release_driver_internal+0x344/0x460\\n device_release_driver+0x18/0x24\\n bus_remove_device+0x198/0x274\\n device_del+0x310/0xa84\\n...\\n\\nThe buggy address belongs to the object at ffff00000ec28c00\\n which belongs to the cache kmalloc-512 of size 512\\nThe buggy address is located 200 bytes inside of\\n freed 512-byte region\\nThe buggy address belongs to the physical page:\\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28\\nhead: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\\nflags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)\\npage_type: f5(slab)\\nraw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\\nraw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\\nhead: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\\nhead: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\\nhead: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff\\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004\\npage dumped because: kasan: bad access detected\\n\\nMemory state around the buggy address:\\n ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\n ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n\u003effff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n                                              ^\\n ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n================================================================\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2b7a0f47aaf2439d517ba0a6b29c66a535302154\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a880ef71a1c8da266b88491213c37893e2126489\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d8ac85c76a4279979b917d4b2f9c6b07d9783003\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.