CVE-2025-68822 Overview
A use-after-free vulnerability has been identified in the Linux kernel's ALPS touchpad input driver. The flaw exists in the dev3_register_work delayed work item handling during device detachment, where a race condition between the cleanup path and delayed work execution can lead to memory access after the alps_data structure has been deallocated.
Critical Impact
This use-after-free vulnerability in the Linux kernel's ALPS input driver could allow an attacker to potentially execute arbitrary code or cause system instability through exploitation of the race condition during device detachment.
Affected Products
- Linux kernel with ALPS touchpad driver support
- Systems utilizing ALPS touchpad with external PS/2 device connectivity
- Linux kernel versions prior to the security patch commits
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-68822 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68822
Vulnerability Analysis
The vulnerability resides in the ALPS touchpad driver's handling of the dev3_register_work delayed work item. When a device is being detached, the psmouse_disconnect() function calls flush_workqueue() to ensure completion of pending work items. However, this operation only waits for work items already queued before its invocation—any work items submitted afterward are not awaited.
The core issue is that after flush_workqueue() completes, dev3_register_work can still be scheduled through alps_report_bare_ps2_packet(). Although the psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(), this does not prevent the scheduling of dev3_register_work.
When the race condition is triggered, the delayed work item accesses the priv structure (via container_of()) and its dev3 member after the structure has already been freed by kfree(priv) in alps_disconnect(). This constitutes a classic use-after-free scenario that was identified through static analysis.
Root Cause
The root cause is improper synchronization between the device cleanup path and the delayed work scheduling mechanism. The original implementation relied on flush_workqueue() to ensure all pending work is completed before freeing resources, but this approach fails to account for work items that may be queued after the flush operation begins. The dev3_register_work delayed work item initialization in alps_reconnect() and its subsequent scheduling upon receipt of PS/2 packets creates a timing window where the work can be queued after cleanup has commenced.
Attack Vector
The attack vector involves triggering the race condition between two CPU execution paths:
CPU 0 (Cleanup Path):
- psmouse_disconnect() is called during device detachment
- psmouse_set_state() sets the state to PSMOUSE_CMD_MODE
- flush_workqueue() waits for currently queued work items
- alps_disconnect() calls kfree(priv) to free the alps_data structure
CPU 1 (Delayed Work Path):
- alps_report_bare_ps2_packet() is called for incoming PS/2 packet
- psmouse_queue_work() schedules dev3_register_work
- alps_register_bare_ps2_mouse() executes the work item
- The work item accesses priv via container_of() after it has been freed
- Access to priv->dev3 triggers use-after-free
The race window exists between the flush_workqueue() call and the kfree(priv) call, during which an external PS/2 packet can trigger the scheduling of the delayed work item.
Detection Methods for CVE-2025-68822
Indicators of Compromise
- Kernel panic or oops messages referencing the ALPS driver or alps_register_bare_ps2_mouse function
- System crashes during PS/2 device hot-plug/unplug operations with ALPS touchpads
- Memory corruption indicators in kernel logs related to the input subsystem
Detection Strategies
- Monitor kernel logs for use-after-free warnings from KASAN (Kernel Address Sanitizer) related to ALPS driver
- Deploy kernel debugging tools to detect memory access violations in the input driver subsystem
- Implement system monitoring for unexpected crashes during device attachment/detachment events
Monitoring Recommendations
- Enable KASAN in development/testing environments to detect use-after-free conditions
- Configure crash dump collection to capture kernel state during ALPS driver-related crashes
- Monitor system stability metrics on systems with ALPS touchpads and external PS/2 devices
How to Mitigate CVE-2025-68822
Immediate Actions Required
- Update to a patched Linux kernel version containing the fix commits
- Consider disabling external PS/2 device support on ALPS touchpads if updates cannot be immediately applied
- Monitor affected systems for signs of exploitation or instability
Patch Information
The vulnerability has been resolved by adding disable_delayed_work_sync() in alps_disconnect() to ensure that dev3_register_work is properly canceled and prevented from executing after the alps_data structure has been deallocated.
Patch commits are available from the kernel Git repositories:
- Kernel Git Commit a9c115e017b2c633d25bdfe6709dda6fc36f08c2
- Kernel Git Commit bf40644ef8c8a288742fa45580897ed0e0289474
- Kernel Git Commit ed8c61b89be0c45f029228b2913d5cf7b5cda1a7
Workarounds
- If kernel updates cannot be applied immediately, avoid hot-plugging PS/2 devices on systems with ALPS touchpads
- Disable the ALPS driver module (psmouse.alps_protocol=bare) if ALPS touchpad functionality is not required
- Implement kernel live patching solutions to apply the fix without requiring a full system reboot
# Check current kernel version and ALPS driver status
uname -r
lsmod | grep psmouse
# If using a package manager, update to latest kernel
# For Debian/Ubuntu:
sudo apt update && sudo apt upgrade linux-image-generic
# For RHEL/CentOS:
sudo yum update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
