CVE-2025-68282

Vulnerability

CVE-2025-68282: Use-After-Free in Linux Kernel USB Gadget

A race condition in the Linux kernel's USB gadget subsystem can lead to a use-after-free vulnerability in the usb_gadget_state_work() function. The root cause is that during gadget teardown in usb_del_gadget(), a concurrent event (e.g., an interrupt) can call usb_gadget_set_state() and schedule the gadget's workqueue after the cleanup has begun but before the gadget's memory is freed. This results in the workqueue accessing freed memory, as reported by KASAN with an invalid access in sysfs_notify [1].

##Exploitation

The vulnerability is triggered during the gadget removal process. A previous fix (commit 399a45e5237c) moved flush_work() to after device_del(), but this did not fully close the race because a new work item could be scheduled after flush_work() completes but before memory is freed. The attack surface is local, requiring the ability to trigger gadget teardown while a concurrent event (e.g., an interrupt) schedules state work. No special privileges are needed beyond access to the USB gadget subsystem [1].

##Impact An attacker who can trigger this race condition can cause a use-after-free, potentially leading to memory corruption, system crash (denial of service), or possibly privilege escalation if the freed memory is reallocated for a different purpose. The vulnerability is rated with a CVSS score that reflects the potential for high impact on availability and integrity [1].

##Mitigation The fix introduces a 'teardown' flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is set during cleanup in usb_del_gadget() before calling flush_work(), and usb_gadget_set_state() checks this flag under the lock before queueing work. This robustly prevents new work from being scheduled once teardown has started. The patch has been applied to the stable kernel tree [1][2][3]. Users should update to a kernel version containing this fix.