CVE-2025-68249

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-68249
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68249.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-68249
Downstream
Related
Published
2025-12-16T14:32:16.370Z
Modified
2026-05-15T04:14:11.687486852Z
Summary
most: usb: hdm_probe: Fix calling put_device() before device initialization
Details

In the Linux kernel, the following vulnerability has been resolved:

most: usb: hdmprobe: Fix calling putdevice() before device initialization

The early error path in hdmprobe() can jump to errfreemdev before &mdev->dev has been initialized with deviceinitialize(). Calling putdevice(&mdev->dev) there triggers a device core WARN and ends up invoking krefput(&kobj->kref, kobject_release) on an uninitialized kobject.

In this path the private struct was only kmalloc'ed and the intended release is effectively kfree(mdev) anyway, so free it directly instead of calling put_device() on an uninitialized device.

This removes the WARNING and fixes the pre-initialization error path.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68249.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.9.0
Fixed
5.10.246
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.196
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.158
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.115
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.56
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.17.6

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68249.json"