CVE-2025-68781

In the Linux kernel, the following vulnerability has been resolved:

usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal

The delayed work item otg_event is initialized in fsl_otg_conf() and
scheduled under two conditions:
1. When a host controller binds to the OTG controller.
2. When the USB ID pin state changes (cable insertion/removal).

A race condition occurs when the device is removed via fsl_otg_remove():
the fsl_otg instance may be freed while the delayed work is still pending
or executing. This leads to use-after-free when the work function
fsl_otg_event() accesses the already freed memory.

The problematic scenario:

(detach thread)            | (delayed work)
fsl_otg_remove()           |
  kfree(fsl_otg_dev) //FREE| fsl_otg_event()
                           |   og = container_of(...) //USE
                           |   og-> //USE

Fix this by calling disable_delayed_work_sync() in fsl_otg_remove()
before deallocating the fsl_otg structure. This ensures the delayed work
is properly canceled and completes execution prior to memory deallocation.

This bug was identified through static analysis.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
LinuxCNA
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
vulnerable
bullseye (security)
vulnerable
bookworm
vulnerable
bookworm (security)
vulnerable
trixie
vulnerable
trixie (security)
vulnerable
forky
vulnerable
sid
6.18.3-1
fixed
References
https://git.kernel.org/stable/c/2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23
https://git.kernel.org/stable/c/319f7a85b3c4e34ac2fe083eb146fe129a556317
https://git.kernel.org/stable/c/41ca62e3e21e48c2903b3b45e232cf4f2ff7434f
https://git.kernel.org/stable/c/4476c73bbbb09b13a962176fca934b32d3954a2e
https://git.kernel.org/stable/c/69f9a0701abc3d1f8225074c56c27e6c16a37222