CVE-2025-68282
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-16

Last updated on: 2025-12-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: udc: fix use-after-free in usb_gadget_state_work A race condition during gadget teardown can lead to a use-after-free in usb_gadget_state_work(), as reported by KASAN: BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0 Workqueue: events usb_gadget_state_work The fundamental race occurs because a concurrent event (e.g., an interrupt) can call usb_gadget_set_state() and schedule gadget->work at any time during the cleanup process in usb_del_gadget(). Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after device removal") attempted to fix this by moving flush_work() to after device_del(). However, this does not fully solve the race, as a new work item can still be scheduled *after* flush_work() completes but before the gadget's memory is freed, leading to the same use-after-free. This patch fixes the race condition robustly by introducing a 'teardown' flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is set during cleanup in usb_del_gadget() *before* calling flush_work() to prevent any new work from being scheduled once cleanup has commenced. The scheduling site, usb_gadget_set_state(), now checks this flag under the lock before queueing the work, thus safely closing the race window.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-18
Generated
2026-05-07
AI Q&A
2025-12-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68282
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free bug in the Linux kernel's USB gadget driver. It occurs due to a race condition during the gadget teardown process, where a concurrent event can schedule work on a gadget that is being cleaned up, leading to invalid memory access. The issue arises because work can be scheduled after a flush operation but before the gadget's memory is freed. The fix involves adding a 'teardown' flag and a 'state_lock' spinlock to prevent new work from being scheduled once cleanup starts, thus avoiding the race condition.


How can this vulnerability impact me? :

This vulnerability can lead to use-after-free memory access in the Linux kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the race condition in the USB gadget driver during device removal.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update your Linux kernel to a version that includes the patch fixing the use-after-free race condition in usb_gadget_state_work(). The patch introduces a 'teardown' flag and a 'state_lock' spinlock to prevent new work from being scheduled during gadget cleanup, thus resolving the race condition. Until the update is applied, avoid using USB gadget functionality that could trigger this race condition.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for KASAN (Kernel Address Sanitizer) reports indicating invalid memory access related to usb_gadget_state_work, such as the message: 'BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0 Workqueue: events usb_gadget_state_work'. To detect this on your system, you can check the kernel logs for such KASAN error messages using commands like 'dmesg | grep -i kasan' or 'journalctl -k | grep -i kasan'. Additionally, monitoring for kernel crashes or warnings related to usb gadget teardown may help. There are no specific network commands to detect this vulnerability as it is a kernel race condition related to USB gadget teardown.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart