{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68781", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-24T10:30:51.036Z", "datePublished": "2026-01-13T15:28:56.261Z", "dateUpdated": "2026-05-11T21:53:13.732Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:53:13.732Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: phy: fsl-usb: Fix use-after-free in delayed work during device removal\n\nThe delayed work item otg_event is initialized in fsl_otg_conf() and\nscheduled under two conditions:\n1. When a host controller binds to the OTG controller.\n2. When the USB ID pin state changes (cable insertion/removal).\n\nA race condition occurs when the device is removed via fsl_otg_remove():\nthe fsl_otg instance may be freed while the delayed work is still pending\nor executing. This leads to use-after-free when the work function\nfsl_otg_event() accesses the already freed memory.\n\nThe problematic scenario:\n\n(detach thread) | (delayed work)\nfsl_otg_remove() |\n kfree(fsl_otg_dev) //FREE| fsl_otg_event()\n | og = container_of(...) //USE\n | og-> //USE\n\nFix this by calling disable_delayed_work_sync() in fsl_otg_remove()\nbefore deallocating the fsl_otg structure. This ensures the delayed work\nis properly canceled and completes execution prior to memory deallocation.\n\nThis bug was identified through static analysis."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/phy/phy-fsl-usb.c"], "versions": [{"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463", "lessThan": "4476c73bbbb09b13a962176fca934b32d3954a2e", "status": "affected", "versionType": "git"}, {"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463", "lessThan": "319f7a85b3c4e34ac2fe083eb146fe129a556317", "status": "affected", "versionType": "git"}, {"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463", "lessThan": "69f9a0701abc3d1f8225074c56c27e6c16a37222", "status": "affected", "versionType": "git"}, {"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463", "lessThan": "2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23", "status": "affected", "versionType": "git"}, {"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463", "lessThan": "41ca62e3e21e48c2903b3b45e232cf4f2ff7434f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/phy/phy-fsl-usb.c"], "versions": [{"version": "3.0", "status": "affected"}, {"version": "0", "lessThan": "3.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.160", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.120", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.64", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.3", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "6.1.160"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "6.6.120"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "6.12.64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "6.18.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4476c73bbbb09b13a962176fca934b32d3954a2e"}, {"url": "https://git.kernel.org/stable/c/319f7a85b3c4e34ac2fe083eb146fe129a556317"}, {"url": "https://git.kernel.org/stable/c/69f9a0701abc3d1f8225074c56c27e6c16a37222"}, {"url": "https://git.kernel.org/stable/c/2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23"}, {"url": "https://git.kernel.org/stable/c/41ca62e3e21e48c2903b3b45e232cf4f2ff7434f"}], "title": "usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: phy: fsl-usb: Fix use-after-free in delayed work during device removal\n\nThe delayed work item otg_event is initialized in fsl_otg_conf() and\nscheduled under two conditions:\n1. When a host controller binds to the OTG controller.\n2. When the USB ID pin state changes (cable insertion/removal).\n\nA race condition occurs when the device is removed via fsl_otg_remove():\nthe fsl_otg instance may be freed while the delayed work is still pending\nor executing. This leads to use-after-free when the work function\nfsl_otg_event() accesses the already freed memory.\n\nThe problematic scenario:\n\n(detach thread) | (delayed work)\nfsl_otg_remove() |\n kfree(fsl_otg_dev) //FREE| fsl_otg_event()\n | og = container_of(...) //USE\n | og-> //USE\n\nFix this by calling disable_delayed_work_sync() in fsl_otg_remove()\nbefore deallocating the fsl_otg structure. This ensures the delayed work\nis properly canceled and completes execution prior to memory deallocation.\n\nThis bug was identified through static analysis."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nusb: phy: fsl-usb: Correcci\u00f3n de uso despu\u00e9s de liberaci\u00f3n en trabajo retrasado durante la eliminaci\u00f3n del dispositivo\n\nEl elemento de trabajo retrasado otg_event se inicializa en fsl_otg_conf() y se programa bajo dos condiciones:\n1. Cuando un controlador de host se enlaza al controlador OTG.\n2. Cuando el estado del pin ID USB cambia (inserci\u00f3n/extracci\u00f3n de cable).\n\nUna condici\u00f3n de carrera ocurre cuando el dispositivo es eliminado a trav\u00e9s de fsl_otg_remove(): la instancia fsl_otg puede ser liberada mientras el trabajo retrasado a\u00fan est\u00e1 pendiente o ejecut\u00e1ndose. Esto lleva a un uso despu\u00e9s de liberaci\u00f3n cuando la funci\u00f3n de trabajo fsl_otg_event() accede a la memoria ya liberada.\n\nEl escenario problem\u00e1tico:\n\n(hilo de desvinculaci\u00f3n) | (trabajo retrasado)\nfsl_otg_remove() |\nkfree(fsl_otg_dev) //FREE| fsl_otg_event()\n| og = container_of(...) //USE\n| og-> //USE\n\nSolucione esto llamando a disable_delayed_work_sync() en fsl_otg_remove() antes de desasignar la estructura fsl_otg. Esto asegura que el trabajo retrasado sea cancelado correctamente y complete su ejecuci\u00f3n antes de la desasignaci\u00f3n de memoria.\n\nEste error fue identificado a trav\u00e9s de an\u00e1lisis est\u00e1tico."}], "id": "CVE-2025-68781", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2026-01-13T16:15:57.773", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/319f7a85b3c4e34ac2fe083eb146fe129a556317"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/41ca62e3e21e48c2903b3b45e232cf4f2ff7434f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4476c73bbbb09b13a962176fca934b32d3954a2e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/69f9a0701abc3d1f8225074c56c27e6c16a37222"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal", "id": "2429034", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429034"}, "csaw": false, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nusb: phy: fsl-usb: Fix use-after-free in delayed work during device removal\nThe delayed work item otg_event is initialized in fsl_otg_conf() and\nscheduled under two conditions:\n1. When a host controller binds to the OTG controller.\n2. When the USB ID pin state changes (cable insertion/removal).\nA race condition occurs when the device is removed via fsl_otg_remove():\nthe fsl_otg instance may be freed while the delayed work is still pending\nor executing. This leads to use-after-free when the work function\nfsl_otg_event() accesses the already freed memory.\nThe problematic scenario:\n(detach thread) | (delayed work)\nfsl_otg_remove() |\nkfree(fsl_otg_dev) //FREE| fsl_otg_event()\n| og = container_of(...) //USE\n| og-> //USE\nFix this by calling disable_delayed_work_sync() in fsl_otg_remove()\nbefore deallocating the fsl_otg structure. This ensures the delayed work\nis properly canceled and completes execution prior to memory deallocation.\nThis bug was identified through static analysis."], "name": "CVE-2025-68781", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68781\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68781\nhttps://lore.kernel.org/linux-cve-announce/2026011301-CVE-2025-68781-f30f@gregkh/T"]}

{}