{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-68781","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-24T10:30:51.036Z","datePublished":"2026-01-13T15:28:56.261Z","dateUpdated":"2026-05-11T21:53:13.732Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:53:13.732Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: phy: fsl-usb: Fix use-after-free in delayed work during device removal\n\nThe delayed work item otg_event is initialized in fsl_otg_conf() and\nscheduled under two conditions:\n1. When a host controller binds to the OTG controller.\n2. When the USB ID pin state changes (cable insertion/removal).\n\nA race condition occurs when the device is removed via fsl_otg_remove():\nthe fsl_otg instance may be freed while the delayed work is still pending\nor executing. This leads to use-after-free when the work function\nfsl_otg_event() accesses the already freed memory.\n\nThe problematic scenario:\n\n(detach thread)            | (delayed work)\nfsl_otg_remove()           |\n  kfree(fsl_otg_dev) //FREE| fsl_otg_event()\n                           |   og = container_of(...) //USE\n                           |   og-> //USE\n\nFix this by calling disable_delayed_work_sync() in fsl_otg_remove()\nbefore deallocating the fsl_otg structure. This ensures the delayed work\nis properly canceled and completes execution prior to memory deallocation.\n\nThis bug was identified through static analysis."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/phy/phy-fsl-usb.c"],"versions":[{"version":"0807c500a1a6d7fa20cbd7bbe7fea14a66112463","lessThan":"4476c73bbbb09b13a962176fca934b32d3954a2e","status":"affected","versionType":"git"},{"version":"0807c500a1a6d7fa20cbd7bbe7fea14a66112463","lessThan":"319f7a85b3c4e34ac2fe083eb146fe129a556317","status":"affected","versionType":"git"},{"version":"0807c500a1a6d7fa20cbd7bbe7fea14a66112463","lessThan":"69f9a0701abc3d1f8225074c56c27e6c16a37222","status":"affected","versionType":"git"},{"version":"0807c500a1a6d7fa20cbd7bbe7fea14a66112463","lessThan":"2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23","status":"affected","versionType":"git"},{"version":"0807c500a1a6d7fa20cbd7bbe7fea14a66112463","lessThan":"41ca62e3e21e48c2903b3b45e232cf4f2ff7434f","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/phy/phy-fsl-usb.c"],"versions":[{"version":"3.0","status":"affected"},{"version":"0","lessThan":"3.0","status":"unaffected","versionType":"semver"},{"version":"6.1.160","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.120","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.64","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.3","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.1.160"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.6.120"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.12.64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.18.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4476c73bbbb09b13a962176fca934b32d3954a2e"},{"url":"https://git.kernel.org/stable/c/319f7a85b3c4e34ac2fe083eb146fe129a556317"},{"url":"https://git.kernel.org/stable/c/69f9a0701abc3d1f8225074c56c27e6c16a37222"},{"url":"https://git.kernel.org/stable/c/2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23"},{"url":"https://git.kernel.org/stable/c/41ca62e3e21e48c2903b3b45e232cf4f2ff7434f"}],"title":"usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal","x_generator":{"engine":"bippy-1.2.0"}}}}