Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68804

CVE-2025-68804: Linux Kernel UAF Vulnerability

CVE-2025-68804 is a use-after-free flaw in the Linux kernel's cros_ec_ishtp driver that causes crashes when a kthread accesses freed memory after driver unbinding. This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-68804 Overview

A Use-After-Free (UAF) vulnerability has been discovered in the Linux kernel's Chrome platform driver (cros_ec_ishtp). The vulnerability occurs when the driver is unbound while a kernel thread (cros_ec_console_log_work) continues to access the device, resulting in a UAF condition and system crash.

Critical Impact

This vulnerability can lead to system crashes and potential arbitrary code execution in kernel context due to the Use-After-Free condition in the Chrome EC ISHTP driver.

Affected Products

  • Linux kernel with Chrome platform support (platform/chrome)
  • Systems using the cros_ec_ishtp driver
  • Chromebook and Chrome OS devices with Intel Sensor Hub Technology Protocol (ISHTP)

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-68804 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-68804

Vulnerability Analysis

The vulnerability exists in the Chrome EC (Embedded Controller) ISHTP driver used in Chrome platform devices. When the driver's .remove() function is called during driver unbinding, it fails to properly unregister the EC device. This oversight allows the cros_ec_console_log_work kernel thread to continue accessing device structures that have already been freed.

The core issue is a classic Use-After-Free scenario where the driver cleanup procedure does not synchronously shutdown sub-devices before releasing resources. The kernel thread maintains a reference to memory that becomes invalid after the driver unbind operation, leading to memory corruption when the thread attempts to access the freed device structure.

Root Cause

The root cause is the missing device unregistration in the driver's .remove() callback function. The cros_ec_ishtp driver did not properly unregister the EC device during removal, which should trigger a synchronous shutdown of all sub-devices. Without this proper cleanup, background kernel threads like cros_ec_console_log_work continue to operate on stale device references.

Attack Vector

The attack vector requires local access to the system with sufficient privileges to unbind drivers. An attacker or a triggered event that unbinds the cros_ec_ishtp driver while the console log worker thread is active could exploit this vulnerability. The resulting UAF condition could potentially be leveraged for:

  • Denial of service through kernel crash
  • Potential privilege escalation if the freed memory is reallocated with attacker-controlled data
  • Kernel memory corruption affecting system stability

The fix adds proper EC device unregistration in the .remove() callback, ensuring all sub-devices are synchronously shutdown before the driver releases its resources. This prevents the kernel thread from accessing freed memory structures.

Detection Methods for CVE-2025-68804

Indicators of Compromise

  • Kernel panic or oops messages referencing cros_ec_ishtp or cros_ec_console_log_work
  • System crashes occurring during driver unbind operations on Chrome platform devices
  • Kernel log entries showing memory access violations in EC-related subsystems
  • Unexpected system reboots on Chromebook or Chrome OS devices

Detection Strategies

  • Monitor kernel logs for UAF-related crash dumps mentioning the cros_ec driver components
  • Implement kernel crash dump analysis to detect patterns matching this vulnerability
  • Use kernel address sanitizer (KASAN) in development environments to catch UAF conditions
  • Deploy SentinelOne Singularity platform for real-time kernel-level threat detection

Monitoring Recommendations

  • Enable kernel crash dump collection and analysis on affected systems
  • Monitor for unusual driver unbind/rebind activity in system logs
  • Implement automated alerting for kernel panic events related to Chrome platform drivers
  • Use SentinelOne's behavioral AI to detect exploitation attempts targeting kernel memory corruption

How to Mitigate CVE-2025-68804

Immediate Actions Required

  • Update the Linux kernel to a patched version containing the fix
  • Avoid manual driver unbinding operations on the cros_ec_ishtp driver until patched
  • Monitor Chrome platform devices for unexpected system crashes
  • Apply vendor-provided kernel updates for Chrome OS and Chromebook devices

Patch Information

The vulnerability has been fixed through multiple kernel commits. The fix properly unregisters the EC device in the .remove() callback to ensure synchronous shutdown of sub-devices. Patches are available in the stable kernel branches:

Workarounds

  • Avoid triggering driver unbind operations on the cros_ec_ishtp driver
  • If driver removal is necessary, ensure the system is in a quiescent state with minimal EC activity
  • Consider blacklisting the driver temporarily if the functionality is not critical
  • Apply kernel live patching solutions where available to mitigate without reboot
bash
# Check if the vulnerable driver is loaded
lsmod | grep cros_ec_ishtp

# View kernel logs for any UAF-related issues
dmesg | grep -E "(cros_ec|UAF|use.after.free)"

# Update kernel to patched version (distribution-specific)
# For Debian/Ubuntu:
sudo apt update && sudo apt upgrade linux-image-$(uname -r)

# For Fedora/RHEL:
sudo dnf update kernel

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.