CVE-2025-68367
Description
In the Linux kernel, the following vulnerability has been resolved:
macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
The following warning appears when running syzkaller, and this issue also exists in the mainline code.
------------[ cut here ]------------ list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100. WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130 Modules linked in: CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__list_add_valid_or_report+0xf7/0x130 RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817 RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001 RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100 R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48 FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace:
input_register_handler+0xb3/0x210 mac_hid_start_emulation+0x1c5/0x290 mac_hid_toggle_emumouse+0x20a/0x240 proc_sys_call_handler+0x4c2/0x6e0 new_sync_write+0x1b1/0x2d0 vfs_write+0x709/0x950 ksys_write+0x12a/0x250 do_syscall_64+0x5a/0x110 entry_SYSCALL_64_after_hwframe+0x78/0xe2
The WARNING occurs when two processes concurrently write to the mac-hid emulation sysctl, causing a race condition in mac_hid_toggle_emumouse(). Both processes read old_val=0, then both try to register the input handler, leading to a double list_add of the same handler.
CPU0 CPU1 ------------------------- ------------------------- vfs_write() //write 1 vfs_write() //write 1 proc_sys_write() proc_sys_write() mac_hid_toggle_emumouse() mac_hid_toggle_emumouse() old_val = *valp // old_val=0 old_val = *valp // old_val=0 mutex_lock_killable() proc_dointvec() // *valp=1 mac_hid_start_emulation() input_register_handler() mutex_unlock() mutex_lock_killable() proc_dointvec() mac_hid_start_emulation() input_register_handler() //Trigger Warning mutex_unlock()
Fix this by moving the old_val read inside the mutex lock region.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in mac_hid_toggle_emumouse() in the Linux kernel allows concurrent sysctl writes to trigger a double list_add warning and potential crash.
Vulnerability
Overview
CVE-2025-68367 describes a race condition in the Linux kernel's mac_hid_toggle_emumouse() function, used to toggle mouse emulation via a sysctl interface. When two processes concurrently write to the mac-hid emulation sysctl, both may read the same initial value (old_val=0) and then attempt to register the input handler, leading to a double addition of the same handler to a list. This triggers a list_add double add warning and can cause undefined behavior, as observed by syzkaller.
Exploitation
The vulnerability is exploitable by any user with write access to the /proc/sys/dev/mac_hid/mouse_button_emulation sysctl file. No special privileges are required beyond standard file write permissions. The attacker must craft two concurrent write operations to the same sysctl file, causing the race window to be hit. This can be done locally via simultaneous threads or processes. The attack surface is local, as the sysctl is accessible only within the system.
Impact
If exploited successfully, the race condition can lead to a kernel crash or system hang due to corrupted list structures. In worst-case scenarios, it might allow an attacker to trigger kernel memory corruption, potentially leading to denial of service. The primary immediate impact is system instability, as demonstrated by the WARNING trace in the report.
Mitigation
The issue was fixed in the Linux kernel by introducing proper locking or atomicity checks in mac_hid_toggle_emumouse() to prevent simultaneous registration attempts. Patches have been backported to stable kernels as seen in references [1], [2], and [3]. Users should apply the latest kernel updates from their distribution. No workaround exists other than limiting write access to the sysctl file.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/14c209835e47a87e6da94bb9401e570dcc14f31fnvd
- git.kernel.org/stable/c/1e4b207ffe54cf33a4b7a2912c4110f89c73bf3fnvd
- git.kernel.org/stable/c/230621ffdb361d15cd3ef92d8b4fa8d314f4fad4nvd
- git.kernel.org/stable/c/388391dd1cc567fcf0b372b63d414c119d23e911nvd
- git.kernel.org/stable/c/48a7d427eb65922b3f17fbe00e2bbc7cb9eac381nvd
- git.kernel.org/stable/c/583d36523f56d8e9ddfa0bec20743a6faefc9b74nvd
- git.kernel.org/stable/c/61abf8c3162d155b4fd0fb251f08557093363a0anvd
- git.kernel.org/stable/c/d5f1d40fd342b589420de7508b4c748fcf28122envd
News mentions
0No linked articles in our index yet.