{"id":"CVE-2025-68822","summary":"Input: alps - fix use-after-free bugs caused by dev3_register_work","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nInput: alps - fix use-after-free bugs caused by dev3_register_work\n\nThe dev3_register_work delayed work item is initialized within\nalps_reconnect() and scheduled upon receipt of the first bare\nPS/2 packet from an external PS/2 device connected to the ALPS\ntouchpad. During device detachment, the original implementation\ncalls flush_workqueue() in psmouse_disconnect() to ensure\ncompletion of dev3_register_work. However, the flush_workqueue()\nin psmouse_disconnect() only blocks and waits for work items that\nwere already queued to the workqueue prior to its invocation. Any\nwork items submitted after flush_workqueue() is called are not\nincluded in the set of tasks that the flush operation awaits.\nThis means that after flush_workqueue() has finished executing,\nthe dev3_register_work could still be scheduled. Although the\npsmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),\nthe scheduling of dev3_register_work remains unaffected.\n\nThe race condition can occur as follows:\n\nCPU 0 (cleanup path)     | CPU 1 (delayed work)\npsmouse_disconnect()     |\n  psmouse_set_state()    |\n  flush_workqueue()      | alps_report_bare_ps2_packet()\n  alps_disconnect()      |   psmouse_queue_work()\n    kfree(priv); // FREE | alps_register_bare_ps2_mouse()\n                         |   priv = container_of(work...); // USE\n                         |   priv-\u003edev3 // USE\n\nAdd disable_delayed_work_sync() in alps_disconnect() to ensure\nthat dev3_register_work is properly canceled and prevented from\nexecuting after the alps_data structure has been deallocated.\n\nThis bug is identified by static analysis.","modified":"2026-04-02T13:03:51.640871Z","published":"2026-01-13T15:29:24.703Z","related":["SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","openSUSE-SU-2026:20287-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68822.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/a9c115e017b2c633d25bdfe6709dda6fc36f08c2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bf40644ef8c8a288742fa45580897ed0e0289474"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ed8c61b89be0c45f029228b2913d5cf7b5cda1a7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68822.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68822"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"04aae283ba6a8cd4851d937bf9c6d6ef0361d794"},{"fixed":"ed8c61b89be0c45f029228b2913d5cf7b5cda1a7"},{"fixed":"a9c115e017b2c633d25bdfe6709dda6fc36f08c2"},{"fixed":"bf40644ef8c8a288742fa45580897ed0e0289474"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68822.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.0.0"},{"fixed":"6.12.64"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68822.json"}}],"schema_version":"1.7.5"}