CVE-2025-71073

HIGH

Linux Kernel - Use-After-Free in lkkbd_reinit Work Handler

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields. lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd structure without preventing the reinit work from being queued again until serio_close() returns. This can allow the work handler to run after the structure has been freed, leading to a potential use-after-free. Use disable_work_sync() instead of cancel_work_sync() to ensure the reinit work cannot be re-queued, and call it both in lkkbd_disconnect() and in lkkbd_connect() error paths after serio_open().

References (3)

Core 3

Core References

Patch

https://git.kernel.org/stable/c/3a7cd1397c209076c371d53bf39a55c138f62342

Patch

https://git.kernel.org/stable/c/cffc4e29b1e2d44ab094cf142d7c461ff09b9104

Patch

https://git.kernel.org/stable/c/e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c

Scores

CVSS v3 7.8

EPSS 0.0002

EPSS Percentile 6.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-416

Status published

Products (13)

linux/Kernel 2.6.12 - 6.12.64linux

linux/Kernel 6.13.0 - 6.18.3linux

Linux/Linux < 2.6.12

Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 3a7cd1397c209076c371d53bf39a55c138f62342

Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - cffc4e29b1e2d44ab094cf142d7c461ff09b9104

Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c

Linux/Linux 2.6.12

Linux/Linux 6.12.64 - 6.12.*

Linux/Linux 6.18.3 - 6.18.*

Linux/Linux 6.19

... and 3 more

Published Jan 13, 2026

Tracked Since Feb 18, 2026