CVE-2025-21928

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-21928

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21928.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-21928

Downstream

BELL-CVE-2025-21928

DEBIAN-CVE-2025-21928

DLA-4178-1

DLA-4193-1

DSA-5900-1

MINI-r4j8-538w-w26x

OESA-2025-1433

OESA-2025-1434

OESA-2025-1446

OESA-2025-1450

RHSA-2025:12662

RHSA-2025:12746

RHSA-2025:12752

RHSA-2025:12753

RHSA-2025:13029

RHSA-2025:13030

RHSA-2025:13061

RHSA-2025:13120

RHSA-2025:13135

RHSA-2025:13633

RHSA-2025:13776

RHSA-2025:13781

RHSA-2025:14136

RHSA-2025:14746

RHSA-2025:14748

RLSA-2025:12662

RLSA-2025:12746

RLSA-2025:12752

RLSA-2025:12753

SUSE-SU-2025:01707-1

SUSE-SU-2025:01919-1

SUSE-SU-2025:01951-1

SUSE-SU-2025:01964-1

SUSE-SU-2025:01967-1

SUSE-SU-2025:02846-1

Related

Published

2025-04-01T16:15:23Z

Modified

2025-08-09T20:01:28Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: Fix use-after-free issue in ishtphidremove()

The system can experience a random crash a few minutes after the driver is removed. This issue occurs due to improper handling of memory freeing in the ishtphidremove() function.

The function currently frees the driver_data directly within the loop that destroys the HID devices, which can lead to accessing freed memory. Specifically, hid_destroy_device() uses driver_data when it calls hid_ishtp_set_feature() to power off the sensor, so freeing driver_data beforehand can result in accessing invalid memory.

This patch resolves the issue by storing the driver_data in a temporary variable before calling hid_destroy_device(), and then freeing the driver_data after the device is destroyed.

References

Affected packages