CVE-2025-68249
Description
In the Linux kernel, the following vulnerability has been resolved:
most: usb: hdm_probe: Fix calling put_device() before device initialization
The early error path in hdm_probe() can jump to err_free_mdev before &mdev->dev has been initialized with device_initialize(). Calling put_device(&mdev->dev) there triggers a device core WARN and ends up invoking kref_put(&kobj->kref, kobject_release) on an uninitialized kobject.
In this path the private struct was only kmalloc'ed and the intended release is effectively kfree(mdev) anyway, so free it directly instead of calling put_device() on an uninitialized device.
This removes the WARNING and fixes the pre-initialization error path.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a bug in most:usb:hdm_probe causes a WARN by calling put_device() before device initialization, fixed by freeing memory directly.
Vulnerability
In the Linux kernel's MOST (Media Oriented Systems Transport) USB driver, the hdm_probe() function has an error path that jumps to err_free_mdev before &mdev->dev is initialized via device_initialize(). Calling put_device(&mdev->dev) on an uninitialized device triggers a kernel WARN and invokes kref_put on an uninitialized kobject, leading to undefined behavior [1][2][3].
Exploitation
The bug occurs only in early error handling of the probe function, meaning an attacker would need to trigger a probe failure before device initialization. This requires local access to insert a USB device that triggers the error path, or similar system-level interaction. No authentication is needed beyond physical or logical access to USB ports.
Impact
An attacker exploiting this flaw can cause a kernel warning and potentially corrupt kernel memory due to the uninitialized kobject release, leading to system instability or denial of service. The issue does not directly allow privilege escalation but can be used to crash the system.
Mitigation
The fix, available in stable kernel commits [1][2][3], replaces the put_device() call with a direct kfree() of the private structure, avoiding the uninitialized device release. Users should update to patched kernel versions as soon as possible.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/3509c748e79435d09e730673c8c100b7f0ebc87cnvd
- git.kernel.org/stable/c/4af0eedbdb4df7936bf43a28e31af232744d2620nvd
- git.kernel.org/stable/c/6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95nvd
- git.kernel.org/stable/c/7d851f746067b8ee5bac9c262f326ace0a6ea253nvd
- git.kernel.org/stable/c/a8cc9e5fcb0e2eef21513a4fec888f5712cb8162nvd
- git.kernel.org/stable/c/ad2be44882716dc3589fbc5572cc13f88ead6b24nvd
- git.kernel.org/stable/c/c400410fe0580dd6118ae8d60287ac9ce71a65fdnvd
News mentions
0No linked articles in our index yet.