CVE-2025-68781

Vulnerability

CVE-2025-68781 is a use-after-free vulnerability in the Linux kernel in the Linux kernel's Freescale USB OTG driver (drivers/usb/phy/fsl-usb.c). The delayed work item otg_event is initialized in fsl_otg_conf() and scheduled when a host controller binds to the OTG controller or when the USB ID pin state changes (cable insertion/removal). The root cause is a race condition during device removal: the fsl_otg_remove() function frees the fsl_otg structure without first ensuring that any pending or executing delayed work has completed. This allows the work function fsl_otg_event() to access freed memory, leading to a use-after-free condition [1][2].

Exploitation

An attacker would need to trigger the removal of the USB OTG device while a delayed work item is still pending or executing. This could be achieved through physical removal of the device or through a system-level event that causes the driver to be unbound. No special privileges are required beyond the ability to cause device removal, which may be possible from user space in some configurations. The vulnerability was identified through static analysis, and no active exploitation has been reported [1][2].

Impact

If successfully exploited, the use-after-free could lead to memory corruption, potentially allowing an attacker to crash the system (denial of service) or, in more severe cases, execute arbitrary code with kernel privileges. The impact is limited to systems using the Freescale USB OTG driver, which is commonly found in embedded systems and some Freescale/NXP i.MX platforms [1][2].

Mitigation

The fix is to call disable_delayed_work_sync() in fsl_otg_remove() before deallocating the fsl_otg structure, ensuring the delayed work is properly canceled and completes execution prior to memory deallocation. The patch has been applied to the Linux kernel stable branches [1][2]. Users should update to a kernel version containing the fix or apply the patch manually.