CVE-2025-21929

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-21929
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21929.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-21929
Downstream
Related
Published
2025-04-01T15:40:59Z
Modified
2025-10-15T22:38:47.860549Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()
Details

In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: Fix use-after-free issue in hidishtpcl_remove()

During the rmmod operation for the intel_ishtp_hid driver, a use-after-free issue can occur in the hidishtpclremove() function. The function hidishtpcldeinit() is called before ishtphidremove(), which can lead to accessing freed memory or resources during the removal process.

Call Trace: ? ishtpclsend+0x168/0x220 [intelishtp] ? hidoutputreport+0xe3/0x150 [hid] hidishtpsetfeature+0xb5/0x120 [intelishtphid] ishtphidrequest+0x7b/0xb0 [intelishtphid] hidhwrequest+0x1f/0x40 [hid] sensorhubsetfeature+0x11f/0x190 [hidsensorhub] _hidsensorpowerstate+0x147/0x1e0 [hidsensortrigger] hidsensorruntimeresume+0x22/0x30 [hidsensortrigger] sensorhubremove+0xa8/0xe0 [hidsensorhub] hiddeviceremove+0x49/0xb0 [hid] hiddestroydevice+0x6f/0x90 [hid] ishtphidremove+0x42/0x70 [intelishtphid] hidishtpclremove+0x6b/0xb0 [intelishtphid] ishtpcldeviceremove+0x4a/0x60 [intelishtp] ...

Additionally, ishtphidremove() is a HID level power off, which should occur before the ISHTP level disconnect.

This patch resolves the issue by reordering the calls in hidishtpclremove(). The function ishtphidremove() is now called before hidishtpcldeinit().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f645a90e8ff732c48dd9f18815baef08c44ac8a0
Fixed
9c677fe859a73f5dd3dd84c27f99e10d28047c73
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f645a90e8ff732c48dd9f18815baef08c44ac8a0
Fixed
e040f11fbca868c6d151e9f2c5730c476abfcf17
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f645a90e8ff732c48dd9f18815baef08c44ac8a0
Fixed
823987841424289339fdb4ba90e6d2c3792836db

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.7
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.12.19
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.7