{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-06T08:02:34.205","vulnerabilities":[{"cve":{"id":"CVE-2025-68822","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-01-13T16:16:04.550","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nInput: alps - fix use-after-free bugs caused by dev3_register_work\n\nThe dev3_register_work delayed work item is initialized within\nalps_reconnect() and scheduled upon receipt of the first bare\nPS/2 packet from an external PS/2 device connected to the ALPS\ntouchpad. During device detachment, the original implementation\ncalls flush_workqueue() in psmouse_disconnect() to ensure\ncompletion of dev3_register_work. However, the flush_workqueue()\nin psmouse_disconnect() only blocks and waits for work items that\nwere already queued to the workqueue prior to its invocation. Any\nwork items submitted after flush_workqueue() is called are not\nincluded in the set of tasks that the flush operation awaits.\nThis means that after flush_workqueue() has finished executing,\nthe dev3_register_work could still be scheduled. Although the\npsmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),\nthe scheduling of dev3_register_work remains unaffected.\n\nThe race condition can occur as follows:\n\nCPU 0 (cleanup path) | CPU 1 (delayed work)\npsmouse_disconnect() |\n psmouse_set_state() |\n flush_workqueue() | alps_report_bare_ps2_packet()\n alps_disconnect() | psmouse_queue_work()\n kfree(priv); // FREE | alps_register_bare_ps2_mouse()\n | priv = container_of(work...); // USE\n | priv->dev3 // USE\n\nAdd disable_delayed_work_sync() in alps_disconnect() to ensure\nthat dev3_register_work is properly canceled and prevented from\nexecuting after the alps_data structure has been deallocated.\n\nThis bug is identified by static analysis."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nEntrada: alps - corrige errores de uso después de liberación causados por dev3_register_work\n\nEl elemento de trabajo retrasado dev3_register_work se inicializa dentro de alps_reconnect() y se programa al recibir el primer paquete PS/2 'bare' de un dispositivo PS/2 externo conectado al touchpad ALPS. Durante la desconexión del dispositivo, la implementación original llama a flush_workqueue() en psmouse_disconnect() para asegurar la finalización de dev3_register_work. Sin embargo, la flush_workqueue() en psmouse_disconnect() solo bloquea y espera por elementos de trabajo que ya estaban en cola en la workqueue antes de su invocación. Cualquier elemento de trabajo enviado después de que se llama a flush_workqueue() no se incluye en el conjunto de tareas que la operación de 'flush' espera. Esto significa que después de que flush_workqueue() ha terminado de ejecutarse, el dev3_register_work aún podría programarse. Aunque el estado de psmouse se establece en PSMOUSE_CMD_MODE en psmouse_disconnect(), la programación de dev3_register_work permanece inalterada.\n\nLa condición de carrera puede ocurrir de la siguiente manera:\n\nCPU 0 (ruta de limpieza) | CPU 1 (trabajo retrasado)\npsmouse_disconnect() |\n psmouse_set_state() |\n flush_workqueue() | alps_report_bare_ps2_packet()\n alps_disconnect() | psmouse_queue_work()\n kfree(priv); // LIBERAR | alps_register_bare_ps2_mouse()\n | priv = container_of(work...); // USAR\n | priv->dev3 // USAR\n\nAñadir disable_delayed_work_sync() en alps_disconnect() para asegurar que dev3_register_work se cancele correctamente y se impida su ejecución después de que la estructura alps_data haya sido desasignada.\n\nEste error es identificado por análisis estático."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/a9c115e017b2c633d25bdfe6709dda6fc36f08c2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bf40644ef8c8a288742fa45580897ed0e0289474","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ed8c61b89be0c45f029228b2913d5cf7b5cda1a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}]}