In the Linux kernel, the following vulnerability has been resolved:
HID: appletb-kbd: fix UAF in inactivity-timer cleanup path
Commit 38224c472a03 ("HID: appletb-kbd: fix slab use-after-free bug in appletbkbdprobe") added timerdeletesync(&kbd->inactivitytimer) to both the probe closehw error path and appletbkbdremove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.
Window A -- putdevice() before timerdelete_sync():
put_device(&kbd->backlight_dev->dev);
timer_delete_sync(&kbd->inactivity_timer);
The inactivitytimer softirq reads kbd->backlightdev and calls backlightdevicesetbrightness() -> mutexlock(&opslock). If a concurrent hidappletbbl unbind drops the last devm reference between these two calls, the backlightdevice is freed and the mutex_lock() touches freed memory.
Window B -- backlight cleanup before hidhwstop():
if (kbd->backlight_dev) {
timer_delete_sync(...);
put_device(...);
}
hid_hw_close(hdev);
hid_hw_stop(hdev);
Even after Window A is closed, hidhwclose()/hidhwstop() still run afterwards, so a late ".event" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timerdeletesync() drained the softirq but before putdevice() drops the reference. That callback reaches resetinactivitytimer(), which calls modtimer() and re-arms the timer. The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.
Both windows produce the same KASAN slab-use-after-free:
BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0 Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0 Call Trace: <IRQ> __mutexlock backlightdevicesetbrightness appletbinactivitytimer calltimerfn runtimersoftirq handlesoftirqs Allocated by task N: devmbacklightdeviceregister appletbblprobe Freed by task M: (concurrent hidappletbbl unbind path)
Close both windows at once by reworking the tear-down in appletbkbdremove() and in the probe close_hw error path so that
1) hidhwclose()/hidhwstop() run before the backlight cleanup, guaranteeing no further .event callback can fire and re-arm the timer, and 2) inside the "if (kbd->backlightdev)" block, timerdeletesync() runs before putdevice(), so the softirq is drained before the final reference is dropped.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46213.json",
"cna_assigner": "Linux"
}