-
CVE-2025-68282
- EPSS 0.06%
- Veröffentlicht 16.12.2025 15:06:04
- Zuletzt bearbeitet 19.01.2026 13:16:09
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: udc: fix use-after-free in usb_gadget_state_work
A race condition during gadget teardown can lead to a use-after-free
in usb_gadget_state_work(), as reported by KASAN:
BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0
Workqueue: events usb_gadget_state_work
The fundamental race occurs because a concurrent event (e.g., an
interrupt) can call usb_gadget_set_state() and schedule gadget->work
at any time during the cleanup process in usb_del_gadget().
Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after
device removal") attempted to fix this by moving flush_work() to after
device_del(). However, this does not fully solve the race, as a new
work item can still be scheduled *after* flush_work() completes but
before the gadget's memory is freed, leading to the same use-after-free.
This patch fixes the race condition robustly by introducing a 'teardown'
flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is
set during cleanup in usb_del_gadget() *before* calling flush_work() to
prevent any new work from being scheduled once cleanup has commenced.
The scheduling site, usb_gadget_set_state(), now checks this flag under
the lock before queueing the work, thus safely closing the race window.Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version <
dddc944d65169b552e09cb54e3ed4fbb9ea26416
Version
5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15
Status
affected
Version <
eee16f3ff08e759ea828bdf7dc1c0ef2f22134f5
Version
5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15
Status
affected
Version <
c12a0c3ef815ddd67e47f9c819f9fe822fed5467
Version
5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15
Status
affected
Version <
f02a412c0a18f02f0f91b0a3d9788315a721b7fd
Version
5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15
Status
affected
Version <
10014310193cf6736c1aeb4105c5f4a0818d0c65
Version
5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15
Status
affected
Version <
3b32caa73d135eea8fb9cabb45e9fc64c5a3ecb9
Version
5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15
Status
affected
Version <
baeb66fbd4201d1c4325074e78b1f557dff89b5b
Version
5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
3.12
Status
affected
Version <
3.12
Version
0
Status
unaffected
Version <=
5.10.*
Version
5.10.248
Status
unaffected
Version <=
5.15.*
Version
5.15.198
Status
unaffected
Version <=
6.1.*
Version
6.1.159
Status
unaffected
Version <=
6.6.*
Version
6.6.119
Status
unaffected
Version <=
6.12.*
Version
6.12.61
Status
unaffected
Version <=
6.17.*
Version
6.17.11
Status
unaffected
Version <=
*
Version
6.18
Status
unaffected
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.06% | 0.191 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|