CVE-2025-68822
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-13

Last updated on: 2026-01-14

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3_register_work The dev3_register_work delayed work item is initialized within alps_reconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad. During device detachment, the original implementation calls flush_workqueue() in psmouse_disconnect() to ensure completion of dev3_register_work. However, the flush_workqueue() in psmouse_disconnect() only blocks and waits for work items that were already queued to the workqueue prior to its invocation. Any work items submitted after flush_workqueue() is called are not included in the set of tasks that the flush operation awaits. This means that after flush_workqueue() has finished executing, the dev3_register_work could still be scheduled. Although the psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(), the scheduling of dev3_register_work remains unaffected. The race condition can occur as follows: CPU 0 (cleanup path) | CPU 1 (delayed work) psmouse_disconnect() | psmouse_set_state() | flush_workqueue() | alps_report_bare_ps2_packet() alps_disconnect() | psmouse_queue_work() kfree(priv); // FREE | alps_register_bare_ps2_mouse() | priv = container_of(work...); // USE | priv->dev3 // USE Add disable_delayed_work_sync() in alps_disconnect() to ensure that dev3_register_work is properly canceled and prevented from executing after the alps_data structure has been deallocated. This bug is identified by static analysis.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-14
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68822
EUVD
EUVD-2026-2280
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
alps alps *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free bug in the Linux kernel related to the ALPS touchpad driver. It occurs because a delayed work item (dev3_register_work) can be scheduled after the associated data structure (alps_data) has been freed during device disconnection. The original code calls flush_workqueue() to wait for queued work to finish, but this does not block work items queued after the call. As a result, dev3_register_work may execute after the data it uses has been deallocated, leading to a race condition and potential memory corruption. The fix involves properly canceling the delayed work to prevent it from running after the data is freed.

Impact Analysis

This vulnerability can lead to use-after-free conditions, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges. This can compromise the security and reliability of the affected system, especially if exploited.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the alps driver includes the fix that adds disable_delayed_work_sync() in alps_disconnect(). This ensures that the dev3_register_work is properly canceled and prevented from executing after the alps_data structure has been deallocated, avoiding the use-after-free bug.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68822. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart