CVE-2025-68804 Overview
A Use-After-Free (UAF) vulnerability has been discovered in the Linux kernel's Chrome platform driver (cros_ec_ishtp). The vulnerability occurs when the driver is unbound while a kernel thread (cros_ec_console_log_work) continues to access the device, resulting in a UAF condition and system crash.
Critical Impact
This vulnerability can lead to system crashes and potential arbitrary code execution in kernel context due to the Use-After-Free condition in the Chrome EC ISHTP driver.
Affected Products
- Linux kernel with Chrome platform support (platform/chrome)
- Systems using the cros_ec_ishtp driver
- Chromebook and Chrome OS devices with Intel Sensor Hub Technology Protocol (ISHTP)
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-68804 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68804
Vulnerability Analysis
The vulnerability exists in the Chrome EC (Embedded Controller) ISHTP driver used in Chrome platform devices. When the driver's .remove() function is called during driver unbinding, it fails to properly unregister the EC device. This oversight allows the cros_ec_console_log_work kernel thread to continue accessing device structures that have already been freed.
The core issue is a classic Use-After-Free scenario where the driver cleanup procedure does not synchronously shutdown sub-devices before releasing resources. The kernel thread maintains a reference to memory that becomes invalid after the driver unbind operation, leading to memory corruption when the thread attempts to access the freed device structure.
Root Cause
The root cause is the missing device unregistration in the driver's .remove() callback function. The cros_ec_ishtp driver did not properly unregister the EC device during removal, which should trigger a synchronous shutdown of all sub-devices. Without this proper cleanup, background kernel threads like cros_ec_console_log_work continue to operate on stale device references.
Attack Vector
The attack vector requires local access to the system with sufficient privileges to unbind drivers. An attacker or a triggered event that unbinds the cros_ec_ishtp driver while the console log worker thread is active could exploit this vulnerability. The resulting UAF condition could potentially be leveraged for:
- Denial of service through kernel crash
- Potential privilege escalation if the freed memory is reallocated with attacker-controlled data
- Kernel memory corruption affecting system stability
The fix adds proper EC device unregistration in the .remove() callback, ensuring all sub-devices are synchronously shutdown before the driver releases its resources. This prevents the kernel thread from accessing freed memory structures.
Detection Methods for CVE-2025-68804
Indicators of Compromise
- Kernel panic or oops messages referencing cros_ec_ishtp or cros_ec_console_log_work
- System crashes occurring during driver unbind operations on Chrome platform devices
- Kernel log entries showing memory access violations in EC-related subsystems
- Unexpected system reboots on Chromebook or Chrome OS devices
Detection Strategies
- Monitor kernel logs for UAF-related crash dumps mentioning the cros_ec driver components
- Implement kernel crash dump analysis to detect patterns matching this vulnerability
- Use kernel address sanitizer (KASAN) in development environments to catch UAF conditions
- Deploy SentinelOne Singularity platform for real-time kernel-level threat detection
Monitoring Recommendations
- Enable kernel crash dump collection and analysis on affected systems
- Monitor for unusual driver unbind/rebind activity in system logs
- Implement automated alerting for kernel panic events related to Chrome platform drivers
- Use SentinelOne's behavioral AI to detect exploitation attempts targeting kernel memory corruption
How to Mitigate CVE-2025-68804
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Avoid manual driver unbinding operations on the cros_ec_ishtp driver until patched
- Monitor Chrome platform devices for unexpected system crashes
- Apply vendor-provided kernel updates for Chrome OS and Chromebook devices
Patch Information
The vulnerability has been fixed through multiple kernel commits. The fix properly unregisters the EC device in the .remove() callback to ensure synchronous shutdown of sub-devices. Patches are available in the stable kernel branches:
- Kernel Git Commit 24a2062257bb
- Kernel Git Commit 393b8f9bedc7
- Kernel Git Commit 4701493ba376
- Kernel Git Commit 8dc1f5a85286
- Kernel Git Commit 944edca81e7a
Workarounds
- Avoid triggering driver unbind operations on the cros_ec_ishtp driver
- If driver removal is necessary, ensure the system is in a quiescent state with minimal EC activity
- Consider blacklisting the driver temporarily if the functionality is not critical
- Apply kernel live patching solutions where available to mitigate without reboot
# Check if the vulnerable driver is loaded
lsmod | grep cros_ec_ishtp
# View kernel logs for any UAF-related issues
dmesg | grep -E "(cros_ec|UAF|use.after.free)"
# Update kernel to patched version (distribution-specific)
# For Debian/Ubuntu:
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
# For Fedora/RHEL:
sudo dnf update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
