Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68781

CVE-2025-68781: Linux Kernel Use-After-Free Vulnerability

CVE-2025-68781 is a use-after-free vulnerability in the Linux kernel USB PHY driver that occurs during device removal when delayed work accesses freed memory. This post covers technical details, affected systems, and fixes.

Updated:

CVE-2025-68781 Overview

A use-after-free vulnerability has been identified in the Linux kernel's FSL-USB PHY driver (fsl-usb). The vulnerability exists in the handling of delayed work items during device removal, where a race condition can occur between the device detachment process and pending delayed work execution.

The delayed work item otg_event is initialized in fsl_otg_conf() and can be scheduled under two conditions: when a host controller binds to the OTG controller, or when the USB ID pin state changes during cable insertion/removal events. When the device is removed via fsl_otg_remove(), the fsl_otg instance may be freed while the delayed work is still pending or actively executing, leading to memory corruption when the work function fsl_otg_event() attempts to access freed memory.

Critical Impact

Use-after-free condition in the Linux kernel USB subsystem may lead to kernel memory corruption, system instability, or potential privilege escalation on systems using FSL-USB OTG controllers.

Affected Products

  • Linux kernel with FSL-USB PHY driver (drivers/usb/phy/fsl-usb)
  • Systems using Freescale/NXP USB OTG controllers
  • Embedded systems and devices with FSL USB PHY support

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-68781 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-68781

Vulnerability Analysis

This vulnerability is a classic use-after-free condition caused by improper synchronization between device teardown and asynchronous work execution. The FSL-USB OTG driver uses delayed work queues to handle OTG events asynchronously, but the original implementation failed to ensure these work items were properly canceled before freeing the associated data structures.

The memory corruption occurs because the fsl_otg_event() function uses container_of() to derive a pointer to the parent fsl_otg structure from the work item. When fsl_otg_remove() frees the fsl_otg_dev structure while the work function is still pending or executing, subsequent access to the structure results in dereferencing freed memory.

Root Cause

The root cause is a missing synchronization mechanism in the fsl_otg_remove() function. The original code freed the fsl_otg structure without first ensuring that all pending delayed work items had completed. This creates a Time-of-Check Time-of-Use (TOCTOU) race condition where the work function assumes the parent structure is valid, but it may have been deallocated by another thread.

The race condition window exists between the time the delayed work is scheduled and when it actually executes. During device removal, this window allows the detach thread to free memory that the work function still references.

Attack Vector

The vulnerability can be triggered through device removal operations on systems with FSL-USB OTG hardware. The race condition manifests during the following scenario:

  1. A delayed work item (otg_event) is scheduled due to cable insertion/removal or host controller binding
  2. Before the work completes, the device is removed (e.g., via unbind, module unload, or hardware removal)
  3. The fsl_otg_remove() function frees the fsl_otg_dev structure
  4. The pending work function fsl_otg_event() executes and attempts to access the freed memory via container_of()

The fix introduces a call to disable_delayed_work_sync() before deallocating the structure, ensuring proper cancellation and completion of any pending work items.

Detection Methods for CVE-2025-68781

Indicators of Compromise

  • Kernel panic or oops messages referencing fsl_otg_event or fsl_otg_remove functions
  • Memory corruption warnings in kernel logs related to USB PHY operations
  • Unexpected system crashes during USB cable insertion/removal events
  • KASAN (Kernel Address Sanitizer) reports indicating use-after-free in the fsl-usb driver

Detection Strategies

  • Monitor kernel logs for memory corruption warnings in USB subsystem components
  • Enable KASAN in development/testing environments to detect use-after-free conditions
  • Implement runtime memory debugging tools to catch invalid memory accesses
  • Track kernel module loading/unloading events for the fsl-usb driver

Monitoring Recommendations

  • Configure syslog monitoring for kernel oops and panic messages
  • Deploy endpoint detection solutions capable of monitoring kernel-level anomalies
  • Enable kernel crash dump collection for forensic analysis
  • Monitor for unusual patterns in USB device enumeration and removal events

How to Mitigate CVE-2025-68781

Immediate Actions Required

  • Update to a patched Linux kernel version containing the fix
  • Review systems using FSL-USB OTG hardware and prioritize patching
  • Consider disabling the fsl-usb module on non-essential systems until patching is complete
  • Monitor affected systems for signs of kernel instability or crashes

Patch Information

The vulnerability has been resolved by adding a call to disable_delayed_work_sync() in the fsl_otg_remove() function before deallocating the fsl_otg structure. This ensures that any pending or executing delayed work is properly canceled and completed prior to memory deallocation.

Official kernel patches are available through the following commits:

Workarounds

  • Blacklist the fsl-usb kernel module if FSL-USB OTG functionality is not required
  • Avoid dynamic USB cable insertion/removal on affected systems until patched
  • Implement kernel module unload restrictions to prevent race condition triggers
  • Use kernel live patching mechanisms where available to apply the fix without system reboot
bash
# Configuration example
# Blacklist the fsl-usb module if not required
echo "blacklist phy-fsl-usb" >> /etc/modprobe.d/blacklist-fsl-usb.conf

# Prevent module unloading to reduce race condition window
echo "options phy_fsl_usb disable_unload=1" >> /etc/modprobe.d/fsl-usb.conf

# Verify current kernel version and check for patches
uname -r

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.