CVE-2025-71073
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-01-13

Last updated on: 2026-03-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields. lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd structure without preventing the reinit work from being queued again until serio_close() returns. This can allow the work handler to run after the structure has been freed, leading to a potential use-after-free. Use disable_work_sync() instead of cancel_work_sync() to ensure the reinit work cannot be re-queued, and call it both in lkkbd_disconnect() and in lkkbd_connect() error paths after serio_open().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-14
NVD
CVE-2025-71073
EUVD
EUVD-2026-2271
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.13 (inc) to 6.18.3 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 2.6.12.1 (inc) to 6.12.64 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel involves the lkkbd driver where a work handler (lkkbd_reinit) can run after the lkkbd structure has been freed. Specifically, lkkbd_interrupt() schedules work that dereferences the lkkbd structure, but lkkbd_disconnect() and error paths in lkkbd_connect() free this structure without properly preventing the work from being re-queued. This leads to a potential use-after-free condition, which can cause undefined behavior or crashes. The fix involves using disable_work_sync() instead of cancel_work_sync() to ensure the work cannot be re-queued after the structure is freed.

Impact Analysis

This vulnerability can lead to use-after-free conditions in the Linux kernel's lkkbd driver, potentially causing system instability, crashes, or security issues such as arbitrary code execution or privilege escalation if exploited. It affects the reliability and security of systems running the vulnerable Linux kernel.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the issue is resolved. The fix involves using disable_work_sync() instead of cancel_work_sync() in the lkkbd_disconnect() and lkkbd_connect() error paths to prevent the work handler from running after the structure has been freed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71073. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart