ghsa-v2qv-44ch-jx7v
Vulnerability from github
Published
2025-04-01 18:30
Modified
2025-11-03 21:33
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

The system can experience a random crash a few minutes after the driver is removed. This issue occurs due to improper handling of memory freeing in the ishtp_hid_remove() function.

The function currently frees the driver_data directly within the loop that destroys the HID devices, which can lead to accessing freed memory. Specifically, hid_destroy_device() uses driver_data when it calls hid_ishtp_set_feature() to power off the sensor, so freeing driver_data beforehand can result in accessing invalid memory.

This patch resolves the issue by storing the driver_data in a temporary variable before calling hid_destroy_device(), and then freeing the driver_data after the device is destroyed.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-21928"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T16:15:23Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()\n\nThe system can experience a random crash a few minutes after the driver is\nremoved. This issue occurs due to improper handling of memory freeing in\nthe ishtp_hid_remove() function.\n\nThe function currently frees the `driver_data` directly within the loop\nthat destroys the HID devices, which can lead to accessing freed memory.\nSpecifically, `hid_destroy_device()` uses `driver_data` when it calls\n`hid_ishtp_set_feature()` to power off the sensor, so freeing\n`driver_data` beforehand can result in accessing invalid memory.\n\nThis patch resolves the issue by storing the `driver_data` in a temporary\nvariable before calling `hid_destroy_device()`, and then freeing the\n`driver_data` after the device is destroyed.",
  "id": "GHSA-v2qv-44ch-jx7v",
  "modified": "2025-11-03T21:33:23Z",
  "published": "2025-04-01T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21928"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01b18a330cda61cc21423a7d1af92cf31ded8f60"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07583a0010696a17fb0942e0b499a62785c5fc9f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0c1fb475ef999d6c22fc3f963fdf20cb3ed1b03d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/560f4d1299342504a6ab8a47f575b5e6b8345ada"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cf1a6015d2f6b1f0afaa0fd6a0124ff2c7943394"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3faae7f42181865c799d88c5054176f38ae4625"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dea6a349bcaf243fff95dfd0428a26be6a0fb44e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eb0695d87a81e7c1f0509b7d8ee7c65fbc26aec9"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.