CVE-2026-46202 Overview
CVE-2026-46202 is a Linux kernel defect in the hid-appletb-kbd driver that handles the Apple Touch Bar keyboard. The driver invokes backlight_device_set_brightness(), which acquires backlight_device->ops_lock via mutex_lock(), from atomic contexts. Both the appletb_inactivity_timer() softirq callback and the reset_inactivity_timer() path triggered from HID and input event handlers reach this sleeping primitive while interrupts are disabled. The kernel emits a BUG: sleeping function called from invalid context warning at each occurrence. The issue affects systems running the affected Linux kernel versions with Apple Touch Bar hardware.
Critical Impact
Calling mutex_lock() from softirq or IRQ context can produce kernel warnings, scheduling anomalies, and potential deadlocks on systems with the hid-appletb-kbd driver loaded.
Affected Products
- Linux kernel builds containing the hid-appletb-kbd driver
- Apple MacBook devices with Touch Bar hardware running affected kernel versions
- Downstream distributions shipping the unpatched HID Apple Touch Bar driver
Discovery Timeline
- 2026-05-28 - CVE-2026-46202 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46202
Vulnerability Analysis
The hid-appletb-kbd driver implements an inactivity autodim feature for the Touch Bar backlight. The dim logic relies on backlight_device_set_brightness(), which internally takes the ops_lock mutex on the backlight device structure. Mutex acquisition is a blocking operation and must occur only in process context where the scheduler is permitted to sleep the caller.
The driver invokes this blocking call from two paths that execute in atomic context. The first is appletb_inactivity_timer(), registered as a struct timer_list callback and dispatched from run_timer_softirq. The second is reset_inactivity_timer(), called from appletb_kbd_hid_event() and appletb_kbd_inp_event() during URB completion and input-event dispatch. Both paths reach __mutex_lock() while atomic, triggering __might_resched warnings.
Root Cause
The root cause is a context mismatch [CWE-662] between the sleeping primitive mutex_lock() and the atomic execution contexts of timer softirqs and HID input event handlers. The original implementation assumed the backlight API was safe to call inline from these callbacks without deferring to a sleepable worker.
Attack Vector
The defect is reachable through normal hardware activity such as keyboard input, USB URB completions, and timer expiry on affected MacBooks. It is a kernel-stability bug rather than a remote exploitation primitive. No proof-of-concept exploit is published, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The fix described in the upstream commits converts the inactivity timer to a struct delayed_work and adds a dedicated restore_brightness_work so the blocking backlight call runs in process context. See the Kernel Git Commit 1654e53, Kernel Git Commit 2473a33, and Kernel Git Commit 5c08303 for the upstream patches.
Detection Methods for CVE-2026-46202
Indicators of Compromise
- Kernel log entries containing BUG: sleeping function called from invalid context at kernel/locking/mutex.c
- Stack traces referencing appletb_inactivity_timer, backlight_device_set_brightness, and run_timer_softirq
- Repeated __might_resched warnings emitted at the Touch Bar autodim interval
Detection Strategies
- Search dmesg and persistent kernel logs on affected MacBook hardware for the specific call trace involving appletb_kbd and mutex_lock.
- Audit the loaded kernel module version and compare against the patched commits to determine exposure.
- Correlate Touch Bar input or idle events with the appearance of sleeping-in-atomic warnings.
Monitoring Recommendations
- Forward kernel log events to a centralized log pipeline and alert on sleeping function called from invalid context patterns.
- Track kernel package versions across Apple hardware fleets to confirm patch coverage.
- Include hid-appletb-kbd stack traces in routine kernel-stability triage workflows.
How to Mitigate CVE-2026-46202
Immediate Actions Required
- Apply the upstream Linux kernel patches that move the autodim and brightness restore work onto the system workqueue.
- Update to a distribution kernel that incorporates the three referenced stable commits.
- Identify MacBook Touch Bar systems in the fleet and prioritize them for kernel updates.
Patch Information
The fix is published in the upstream Linux kernel stable tree across three commits: Kernel Git Commit 1654e53, Kernel Git Commit 2473a33, and Kernel Git Commit 5c08303. The patches convert the inactivity timer from struct timer_list to struct delayed_work, add a restore_brightness_workstruct work_struct, and cancel both works synchronously during driver tear-down. Functional semantics, including dim delays and state transitions, remain unchanged.
Workarounds
- Unload the hid-appletb-kbd module on affected systems where the Touch Bar autodim feature is not required.
- Blacklist the module via /etc/modprobe.d/ to prevent automatic loading until a patched kernel is deployed.
- Disable Touch Bar backlight management in userspace tooling to reduce frequency of the warning until patched.
# Blacklist the affected driver until a patched kernel is installed
echo 'blacklist hid-appletb-kbd' | sudo tee /etc/modprobe.d/hid-appletb-kbd.conf
sudo update-initramfs -u
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
