CVE-2025-21928

HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() The system can experience a random crash a few minutes after the driver is
removed. This issue occurs due to improper handling of memory freeing in
the ishtp_hid_remove() function. The function currently frees the `driver_data` directly within the loop
that destroys the HID devices, which can lead to accessing freed memory.
Specifically, `hid_destroy_device()` uses `driver_data` when it calls
`hid_ishtp_set_feature()` to power off the sensor, so freeing
`driver_data` beforehand can result in accessing invalid memory. This patch resolves the issue by storing the `driver_data` in a temporary
variable before calling `hid_destroy_device()`, and then freeing the
`driver_data` after the device is destroyed.

In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() The system can experience a random crash a few minutes after the driver is removed. This issue occurs due to improper handling of memory freeing in the ishtp_hid_remove() function. The function currently frees the `driver_data` directly within the loop that destroys the HID devices, which can lead to accessing freed memory. Specifically, `hid_destroy_device()` uses `driver_data` when it calls `hid_ishtp_set_feature()` to power off the sensor, so freeing `driver_data` beforehand can result in accessing invalid memory. This patch resolves the issue by storing the `driver_data` in a temporary variable before calling `hid_destroy_device()`, and then freeing the `driver_data` after the device is destroyed.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-12-29 CVE Reserved
2025-04-01 CVE Published
2025-05-03 EPSS Updated
2025-05-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/0c1fb475ef999d6c22fc3f963fdf20cb3ed1b03d	2025-03-13
https://git.kernel.org/stable/c/d3faae7f42181865c799d88c5054176f38ae4625	2025-03-13
https://git.kernel.org/stable/c/01b18a330cda61cc21423a7d1af92cf31ded8f60	2025-03-13
https://git.kernel.org/stable/c/cf1a6015d2f6b1f0afaa0fd6a0124ff2c7943394	2025-03-13
https://git.kernel.org/stable/c/560f4d1299342504a6ab8a47f575b5e6b8345ada	2025-03-13
https://git.kernel.org/stable/c/dea6a349bcaf243fff95dfd0428a26be6a0fb44e	2025-03-13
https://git.kernel.org/stable/c/eb0695d87a81e7c1f0509b7d8ee7c65fbc26aec9	2025-03-13
https://git.kernel.org/stable/c/07583a0010696a17fb0942e0b499a62785c5fc9f	2025-02-19

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 5.4.291 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.4.291"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 5.10.235 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.10.235"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 5.15.179 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.15.179"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 6.1.131 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 6.1.131"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 6.6.83 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 6.6.83"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 6.12.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 6.12.19"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 6.13.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 6.13.7"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 6.14"		en		Affected