CVE-2025-68312
Description
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Prevents free active kevent
The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the "free active object (kevent)" error reported here.
2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed.
The solution to this problem is to cancel the kevent before executing free_netdev().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Linux usbnet driver can occur when a kevent work is not cancelled before free_netdev(), leading to a crash.
Root
Cause
The vulnerability in the Linux kernel's usbnet driver stems from a race condition during device disconnection. When probing a usbnet device, usbnet_link_change(dev, 0, 0) schedules a kevent work item on the global workqueue. If the device is unregistered before this work item is scheduled, free_netdev() is called while the kevent is still pending, resulting in a "free active object" error and potential use-after-free [1]. Additionally, usbnet_disconnect() calls unregister_netdev(), which triggers ndo_stop() only if the device is up. However, if the device was never brought up, ndo_stop() does not execute, and the kevent remains unscheduled, exposing the same race [1].
Attack
Scenario
An attacker with physical access or the ability to trigger USB device hot-unplug events can exploit this flaw. No special privileges are required beyond the ability to disconnect a usbnet device while its driver is probing. The race window exists between scheduling the kevent and its execution, making the attack difficult but reproducible under controlled conditions.
Impact
Successful exploitation leads to a kernel panic or use-after-free, causing a denial of service (system crash). In theory, an attacker could leverage this memory corruption to escalate privileges, but the official description only confirms the crash as the immediate consequence [1].
Mitigation
The fix has been applied in the Linux kernel stable tree via commit [1]. Users are advised to update to a version containing this commit or any later kernel that includes the backport. No workaround is available besides applying the patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/285d4b953f2ca03c358f986718dd89ee9bde632envd
- git.kernel.org/stable/c/2ce1de32e05445d77fc056f6ff8339cfb78a5f84nvd
- git.kernel.org/stable/c/3a10619fdefd3051aeb14860e4d4335529b4e94dnvd
- git.kernel.org/stable/c/420c84c330d1688b8c764479e5738bbdbf0a33denvd
- git.kernel.org/stable/c/43005002b60ef3424719ecda16d124714b45da3bnvd
- git.kernel.org/stable/c/5158fb8da162e3982940f30cd01ed77bdf42c6fcnvd
- git.kernel.org/stable/c/88a38b135d69f5db9024ff6527232f1b51be8915nvd
- git.kernel.org/stable/c/9a579d6a39513069d298eee70770bbac8a148565nvd
News mentions
0No linked articles in our index yet.