CVE-2025-21929
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-21929
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21929.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-21929
- Downstream
- Related
- Published
- 2025-04-01T16:15:23Z
- Modified
- 2025-08-09T19:01:27Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
HID: intel-ish-hid: Fix use-after-free issue in hidishtpcl_remove()
During the
rmmodoperation for theintel_ishtp_hiddriver, a use-after-free issue can occur in the hidishtpclremove() function. The function hidishtpcldeinit() is called before ishtphidremove(), which can lead to accessing freed memory or resources during the removal process.Call Trace: ? ishtpclsend+0x168/0x220 [intelishtp] ? hidoutputreport+0xe3/0x150 [hid] hidishtpsetfeature+0xb5/0x120 [intelishtphid] ishtphidrequest+0x7b/0xb0 [intelishtphid] hidhwrequest+0x1f/0x40 [hid] sensorhubsetfeature+0x11f/0x190 [hidsensorhub] _hidsensorpowerstate+0x147/0x1e0 [hidsensortrigger] hidsensorruntimeresume+0x22/0x30 [hidsensortrigger] sensorhubremove+0xa8/0xe0 [hidsensorhub] hiddeviceremove+0x49/0xb0 [hid] hiddestroydevice+0x6f/0x90 [hid] ishtphidremove+0x42/0x70 [intelishtphid] hidishtpclremove+0x6b/0xb0 [intelishtphid] ishtpcldeviceremove+0x4a/0x60 [intelishtp] ...
Additionally, ishtphidremove() is a HID level power off, which should occur before the ISHTP level disconnect.
This patch resolves the issue by reordering the calls in hidishtpclremove(). The function ishtphidremove() is now called before hidishtpcldeinit().
- References