CVE-2025-68781

The delayed work item otgevent is initialized in fslotg_conf() and scheduled under two conditions: 1. When a host controller binds to the OTG controller. 2. When the USB ID pin state changes (cable insertion/removal).

A race condition occurs when the device is removed via fslotgremove(): the fslotg instance may be freed while the delayed work is still pending or executing. This leads to use-after-free when the work function fslotg_event() accesses the already freed memory.

The problematic scenario:

Fix this by calling disabledelayedworksync() in fslotgremove() before deallocating the fslotg structure. This ensures the delayed work is properly canceled and completes execution prior to memory deallocation.

This bug was identified through static analysis.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68781.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0807c500a1a6d7fa20cbd7bbe7fea14a66112463

Fixed

4476c73bbbb09b13a962176fca934b32d3954a2e

Fixed

319f7a85b3c4e34ac2fe083eb146fe129a556317

Fixed

69f9a0701abc3d1f8225074c56c27e6c16a37222

Fixed

2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23

Fixed

41ca62e3e21e48c2903b3b45e232cf4f2ff7434f

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68781.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

6.1.160

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.120

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.64

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68781.json"