CVE-2020-25669

A vulnerability was found in the Linux Kernel where the function sunkbdreinit having been scheduled by sunkbdinterrupt before sunkbd being freed. Though the dangling pointer is set to NULL in sunkbddisconnect, there is still an alias in sunkbdreinit causing Use After Free.

References

Affected packages

Git / github.com/torvalds/linux

Affected ranges

Type: GIT
Repo: https://github.com/torvalds/linux
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

77e70d351db7de07a46ac49b87a6c3c7a60fca7e

Type: GIT
Repo: https://github.com/torvalds/linux
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

77e70d351db7de07a46ac49b87a6c3c7a60fca7e

Affected versions

v2.*

v2.6.12-rc2

v2.6.12-rc3

v2.6.12-rc4

v2.6.13

v2.6.13-rc1

v2.6.13-rc2

v2.6.13-rc3

v2.6.13-rc4

v2.6.13-rc5

v2.6.13-rc6

v2.6.13-rc7

v2.6.14-rc1

v2.6.14-rc2

v2.6.14-rc3

v2.6.15-rc1

v2.6.15-rc2

v2.6.15-rc4

v2.6.15-rc5

v2.6.15-rc7

v2.6.16

v2.6.16-rc1

v2.6.16-rc2

v2.6.16-rc3

v2.6.16-rc4

v2.6.16-rc5

v2.6.16-rc6

v2.6.17

v2.6.17-rc1

v2.6.17-rc2

v2.6.17-rc3

v2.6.17-rc4

v2.6.17-rc5

v2.6.17-rc6

v2.6.18

v2.6.18-rc1

v2.6.18-rc2

v2.6.18-rc3

v2.6.18-rc5

v2.6.18-rc6

v2.6.19-rc1

v2.6.19-rc2

v2.6.20-rc1

v2.6.20-rc2

v2.6.20-rc3

v2.6.20-rc4

v2.6.20-rc5

v2.6.20-rc6

v2.6.20-rc7

v2.6.21

v2.6.21-rc1

v2.6.21-rc2

v2.6.21-rc3

v2.6.21-rc4

v2.6.21-rc5

v2.6.21-rc6

v2.6.21-rc7

v2.6.22

v2.6.22-rc1

v2.6.22-rc2

v2.6.22-rc3

v2.6.22-rc4

v2.6.22-rc5

v2.6.22-rc6

v2.6.22-rc7

v2.6.23

v2.6.23-rc1

v2.6.23-rc2

v2.6.23-rc3

v2.6.23-rc4

v2.6.23-rc5

v2.6.23-rc6

v2.6.23-rc7

v2.6.23-rc8

v2.6.23-rc9

v2.6.24

v2.6.24-rc1

v2.6.24-rc2

v2.6.24-rc3

v2.6.24-rc4

v2.6.24-rc5

v2.6.24-rc6

v2.6.24-rc7

v2.6.24-rc8

v2.6.25

v2.6.25-rc1

v2.6.25-rc2

v2.6.25-rc3

v2.6.25-rc4

v2.6.25-rc5

v2.6.25-rc6

v2.6.25-rc7

v2.6.25-rc8

v2.6.25-rc9

v2.6.26

v2.6.26-rc1

v2.6.26-rc2

v2.6.26-rc3

v2.6.26-rc4

v2.6.26-rc5

v2.6.26-rc6

v2.6.26-rc7

v2.6.26-rc8

v2.6.26-rc9

v2.6.27

v2.6.27-rc1

v2.6.27-rc2

v2.6.27-rc3

v2.6.27-rc4

v2.6.27-rc5

v2.6.27-rc6

v2.6.27-rc7

v2.6.27-rc8

v2.6.27-rc9

v2.6.28

v2.6.28-rc1

v2.6.28-rc2

v2.6.28-rc3

v2.6.28-rc4

v2.6.28-rc5

v2.6.28-rc6

v2.6.28-rc7

v2.6.28-rc8

v2.6.28-rc9

v2.6.29

v2.6.29-rc1

v2.6.29-rc2

v2.6.29-rc3

v2.6.29-rc4

v2.6.29-rc5

v2.6.29-rc6

v2.6.29-rc7

v2.6.29-rc8

v2.6.30

v2.6.30-rc1

v2.6.30-rc2

v2.6.30-rc3

v2.6.30-rc4

v2.6.30-rc5

v2.6.30-rc6

v2.6.30-rc7

v2.6.30-rc8

v2.6.31

v2.6.31-rc1

v2.6.31-rc2

v2.6.31-rc3

v2.6.31-rc4

v2.6.31-rc5

v2.6.31-rc6

v2.6.31-rc7

v2.6.31-rc8

v2.6.31-rc9

v2.6.32

v2.6.32-rc1

v2.6.32-rc2

v2.6.32-rc3

v2.6.32-rc4

v2.6.32-rc5

v2.6.32-rc6

v2.6.32-rc7

v2.6.32-rc8

v2.6.33

v2.6.33-rc1

v2.6.33-rc2

v2.6.33-rc3

v2.6.33-rc4

v2.6.33-rc5

v2.6.33-rc6

v2.6.33-rc7

v2.6.33-rc8

v2.6.34

v2.6.34-rc1

v2.6.34-rc2

v2.6.34-rc3

v2.6.34-rc4

v2.6.34-rc5

v2.6.34-rc6

v2.6.34-rc7

v2.6.35

v2.6.35-rc1

v2.6.35-rc2

v2.6.35-rc3

v2.6.35-rc4

v2.6.35-rc5

v2.6.35-rc6

v2.6.36

v2.6.36-rc1

v2.6.36-rc2

v2.6.36-rc3

v2.6.36-rc4

v2.6.36-rc5

v2.6.36-rc6

v2.6.36-rc7

v2.6.36-rc8

v2.6.37

v2.6.37-rc1

v2.6.37-rc2

v2.6.37-rc3

v2.6.37-rc4

v2.6.37-rc5

v2.6.37-rc6

v2.6.37-rc7

v2.6.37-rc8

v2.6.38

v2.6.38-rc1

v2.6.38-rc2

v2.6.38-rc3

v2.6.38-rc4

v2.6.38-rc5

v2.6.38-rc6

v2.6.38-rc7

v2.6.38-rc8

v2.6.39

v2.6.39-rc1

v2.6.39-rc2

v2.6.39-rc3

v2.6.39-rc4

v2.6.39-rc5

v2.6.39-rc6

v2.6.39-rc7

v3.*

v3.0-rc1

v3.0-rc2

v3.0-rc3

v3.0-rc4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-25669.json"

vanir_signatures

[
    {
        "digest": {
            "length": 699.0,
            "function_hash": "104334658876116112984850968431497711748"
        },
        "id": "CVE-2020-25669-2ef9f874",
        "signature_version": "v1",
        "source": "https://github.com/torvalds/linux/commit/77e70d351db7de07a46ac49b87a6c3c7a60fca7e",
        "signature_type": "Function",
        "target": {
            "function": "sunkbd_reinit",
            "file": "drivers/input/keyboard/sunkbd.c"
        },
        "deprecated": false
    },
    {
        "source": "https://github.com/torvalds/linux/commit/77e70d351db7de07a46ac49b87a6c3c7a60fca7e",
        "target": {
            "function": "sunkbd_interrupt",
            "file": "drivers/input/keyboard/sunkbd.c"
        },
        "deprecated": false,
        "digest": {
            "length": 894.0,
            "function_hash": "6367602438856320083335949813575234265"
        },
        "signature_type": "Function",
        "id": "CVE-2020-25669-5d3987c8",
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "118443532649537729941164673811931340163",
                "203422894197475587745740242930361167592",
                "164083477563821247878985626832757806476",
                "61999899458629429136124360853706058765",
                "63279945143989848315624696910852363939",
                "123018636941730572960266198395926658616",
                "183507149842197368945927851632256745067",
                "111131185691292227801151521408911123159",
                "187111365880764740442279416957264087128",
                "154382406990812131599216740163784003465",
                "153675118561862691926914250467307895224",
                "162160927677496898538112843028620145315",
                "49941134006353884664399353715228690198",
                "291793303316683833641795005995016011429",
                "68167436149283934921765433719294647516",
                "264558019207172767982267730792785594691",
                "26233430185146513213152028039451186732",
                "54125615799416165011841180645235597537",
                "318579792029624966781450794205982525009"
            ]
        },
        "id": "CVE-2020-25669-62ee3537",
        "signature_version": "v1",
        "source": "https://github.com/torvalds/linux/commit/77e70d351db7de07a46ac49b87a6c3c7a60fca7e",
        "signature_type": "Line",
        "target": {
            "file": "drivers/input/keyboard/sunkbd.c"
        },
        "deprecated": false
    },
    {
        "digest": {
            "length": 144.0,
            "function_hash": "90205578429393617714537585819780989492"
        },
        "id": "CVE-2020-25669-7cd22648",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/torvalds/linux/commit/77e70d351db7de07a46ac49b87a6c3c7a60fca7e",
        "target": {
            "function": "sunkbd_enable",
            "file": "drivers/input/keyboard/sunkbd.c"
        }
    }
]

vanir_signatures_modified

"2026-04-11T11:23:25Z"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "4.4.245"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "4.5"
            },
            {
                "fixed": "4.9.245"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "4.10"
            },
            {
                "fixed": "4.14.208"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "4.15"
            },
            {
                "fixed": "4.19.159"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "4.20"
            },
            {
                "fixed": "5.4.79"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "5.5"
            },
            {
                "fixed": "5.9.10"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    }
]