PT-2026-44336 · Linux · Linux

Published

2026-05-28

·

Updated

2026-05-28

·

CVE-2026-46213

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
HID: appletb-kbd: fix UAF in inactivity-timer cleanup path
Commit 38224c472a03 ("HID: appletb-kbd: fix slab use-after-free bug in appletb kbd probe") added timer delete sync(&kbd->inactivity timer) to both the probe close hw error path and appletb kbd remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.
Window A -- put device() before timer delete sync():
put device(&kbd->backlight dev->dev);
timer delete sync(&kbd->inactivity timer);
The inactivity timer softirq reads kbd->backlight dev and calls backlight device set brightness() -> mutex lock(&ops lock). If a concurrent hid appletb bl unbind drops the last devm reference between these two calls, the backlight device is freed and the mutex lock() touches freed memory.
Window B -- backlight cleanup before hid hw stop():
if (kbd->backlight dev) {
	timer delete sync(...);
	put device(...);
}
hid hw close(hdev);
hid hw stop(hdev);
Even after Window A is closed, hid hw close()/hid hw stop() still run afterwards, so a late ".event" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer delete sync() drained the softirq but before put device() drops the reference. That callback reaches reset inactivity timer(), which calls mod timer() and re-arms the timer. The freshly re-armed timer can then fire on the about-to-be-freed backlight device.
Both windows produce the same KASAN slab-use-after-free:
BUG: KASAN: slab-use-after-free in mutex lock+0x1aab/0x21c0 Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0 Call Trace: mutex lock backlight device set brightness appletb inactivity timer call timer fn run timer softirq handle softirqs Allocated by task N: devm backlight device register appletb bl probe Freed by task M: (concurrent hid appletb bl unbind path)
Close both windows at once by reworking the tear-down in appletb kbd remove() and in the probe close hw error path so that
  1. hid hw close()/hid hw stop() run before the backlight cleanup, guaranteeing no further .event callback can fire and re-arm the timer, and
  2. inside the "if (kbd->backlight dev)" block, timer delete sync() runs before put device(), so the softirq is drained before the final reference is dropped.

Related Identifiers

CVE-2026-46213

Affected Products

Linux