CVE-2025-40211
Description
In the Linux kernel, the following vulnerability has been resolved:
ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal.
If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight.
Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed.
[ rjw: Changelog edit ]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Linux kernel's ACPI video driver when delayed work executes after device removal, fixed by canceling work before freeing memory.
Vulnerability
CVE-2025-40211 is a use-after-free vulnerability in the Linux kernel's ACPI video driver. The function acpi_video_switch_brightness() accesses device->brightness and device->backlight structures that are freed by acpi_video_dev_unregister_backlight() during device removal. If the delayed work switch_brightness_work executes after acpi_video_bus_unregister_backlight() has freed these resources, the driver dereferences freed memory, leading to a use-after-free condition [1].
Exploitation
The vulnerability is triggered when a user or system event causes the brightness switch work to be queued, and then the device is removed before the work executes. No special privileges are required beyond the ability to trigger device removal (e.g., hot-unplug of a display or docking station). The attack surface is local, as the ACPI video driver is part of the kernel and accessible to any user who can cause device removal events.
Impact
An attacker who can trigger the race condition may cause a use-after-free, potentially leading to memory corruption, system crash (denial of service), or possibly arbitrary code execution in kernel context. The exact impact depends on the kernel memory allocator state and the attacker's ability to control freed memory.
Mitigation
The fix, committed in the Linux kernel stable tree, ensures that cancel_delayed_work_sync() is called for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This guarantees the work completes before the memory is freed [1]. Users should apply the latest stable kernel updates containing this patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
83f803ccf5a0cba1704316492bc78a4f51d54a63a5b6fb5084e85246ec0d0de5fc93275a4293125536ef58f067aa59430Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/293125536ef5521328815fa7c76d5f9eb1635659nvd
- git.kernel.org/stable/c/3f803ccf5a0c043e7c8b83f6665b082401fc8beenvd
- git.kernel.org/stable/c/4e85246ec0d019dfba86ba54d841ef6694f97149nvd
- git.kernel.org/stable/c/8f067aa59430266386b83c18b983ca583faa6a11nvd
- git.kernel.org/stable/c/a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9nvd
- git.kernel.org/stable/c/ba1704316492a0496c69334338ea1fdbf4c2fd34nvd
- git.kernel.org/stable/c/bc78a4f51d548c1ccc3d1967c2b394bf687c86e9nvd
- git.kernel.org/stable/c/de5fc93275a4a459fe2f7cb746984f2ab3e8292anvd
News mentions
0No linked articles in our index yet.