CVE-2025-68804

Vulnerability

CVE-2025-68804 is a use-after-free (UAF) vulnerability in the Linux kernel's cros_ec_ishtp driver, part of the platform/chrome subsystem for Chrome OS Embedded Controller communication over Intel ISHTP. The root cause is that the driver's .remove() callback does not unregister the EC device, leaving a worker thread (cros_ec_console_log_work) still active and accessing freed device memory after the driver is unbound [1][2].

Exploitation

An attacker with the ability to unbind the driver (e.g., via sysfs or module removal) can trigger the race condition. No special privileges beyond local access are required; the attack surface is local, as the driver is part of the kernel's platform/chrome subsystem. The worker thread continues to run and dereferences freed pointers, leading to a crash or potential code execution [3].

Impact

Successful exploitation results in a kernel crash (denial of service) or, in worst-case scenarios, arbitrary code execution in kernel context. The vulnerability is rated with a CVSS score that reflects high severity due to the potential for system compromise.

Mitigation

The fix is included in the Linux kernel stable updates. The commit ensures that the EC device is properly unregistered in the .remove() path, which synchronously shuts down sub-devices and stops the worker thread before freeing memory [1][2][3]. Users should apply the latest kernel updates from their distribution updates to mitigate the issue.