CVE-2025-71073 Overview
A use-after-free vulnerability has been discovered in the Linux kernel's lkkbd (LK keyboard) input driver. The vulnerability exists in the interaction between the lkkbd_interrupt() function, which schedules work via schedule_work(), and the disconnect/error handling paths in the driver. When lkkbd_disconnect() is called or an error occurs in lkkbd_connect(), the lkkbd structure can be freed while pending work is still scheduled, potentially allowing the lkkbd_reinit() work handler to access freed memory.
Critical Impact
This use-after-free vulnerability in the Linux kernel input subsystem could potentially be exploited for local privilege escalation or denial of service on affected systems.
Affected Products
- Linux kernel with lkkbd driver enabled
- Systems using LK (DEC LK201/LK401) keyboard hardware
- Various Linux distributions running vulnerable kernel versions
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71073 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71073
Vulnerability Analysis
The vulnerability stems from a race condition in the work scheduling mechanism of the lkkbd input driver. The lkkbd_interrupt() function schedules the lkkbd_reinit() work handler via schedule_work() on the lk->tq work queue. The work handler subsequently dereferences the lkkbd structure and its associated serio and input_dev fields.
The critical issue occurs during device disconnection or when error conditions arise during device connection. In both lkkbd_disconnect() and the error paths in lkkbd_connect(), the lkkbd structure is freed without properly ensuring that the reinit work cannot be re-queued after serio_close() returns. This creates a window where the work handler may execute after the underlying data structure has already been deallocated.
Root Cause
The root cause is improper synchronization between the work queue scheduling and the device cleanup path. The original code used cancel_work_sync() which cancels pending work but does not prevent the work from being re-queued. During the window between cancel_work_sync() returning and serio_close() completing, new work items could be scheduled that would later attempt to access the freed lkkbd structure.
Attack Vector
An attacker with physical access to the system or the ability to trigger device disconnect/reconnect events could potentially exploit this vulnerability. The attack would require timing the device disconnection to occur while scheduled work is pending, causing the work handler to access freed memory. This could lead to kernel memory corruption, information disclosure, or potentially privilege escalation depending on what data occupies the freed memory region.
The vulnerability requires local access and interaction with the input subsystem. While not remotely exploitable, it represents a serious risk in environments where attackers have physical access or can manipulate hardware events.
Detection Methods for CVE-2025-71073
Indicators of Compromise
- Kernel oops or panic messages referencing lkkbd_reinit or lkkbd_disconnect
- Unexpected system crashes when disconnecting LK keyboard devices
- Kernel log entries indicating use-after-free detection in KASAN-enabled kernels
- Unusual kernel memory corruption warnings in the input subsystem
Detection Strategies
- Enable Kernel Address Sanitizer (KASAN) to detect use-after-free accesses at runtime
- Monitor kernel logs for oops messages related to the lkkbd driver module
- Implement kernel crash dump analysis for post-incident investigation
- Deploy endpoint detection solutions capable of monitoring kernel-level anomalies
Monitoring Recommendations
- Enable and review dmesg output for input subsystem errors
- Configure crash dump collection for kernel panics
- Monitor for unusual patterns in device connect/disconnect events
- Implement alerting on kernel module loading and unloading activities
How to Mitigate CVE-2025-71073
Immediate Actions Required
- Apply the kernel patches from the stable kernel git repositories
- Update to a patched Linux kernel version as soon as available from your distribution
- If the lkkbd driver is not required, consider blacklisting the module
- Monitor systems for signs of exploitation until patches can be applied
Patch Information
The fix involves replacing cancel_work_sync() with disable_work_sync() to ensure that the reinit work cannot be re-queued after cancellation. This change is applied in both lkkbd_disconnect() and in the lkkbd_connect() error paths after serio_open() is called.
The patches are available in the following kernel git commits:
Workarounds
- Blacklist the lkkbd module if LK keyboard support is not required using modprobe.blacklist=lkkbd
- Avoid connecting/disconnecting LK keyboard devices on affected systems
- Limit physical access to systems until patches can be applied
- Enable KASAN for development/testing environments to detect exploitation attempts
# Configuration example
# Blacklist the lkkbd module to prevent loading
echo "blacklist lkkbd" | sudo tee /etc/modprobe.d/lkkbd-blacklist.conf
# Unload the module if currently loaded
sudo modprobe -r lkkbd
# Verify module is not loaded
lsmod | grep lkkbd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
