CVE-2025-21929
Description
In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove() During the `rmmod` operation for the `intel_ishtp_hid` driver, a use-after-free issue can occur in the hid_ishtp_cl_remove() function. The function hid_ishtp_cl_deinit() is called before ishtp_hid_remove(), which can lead to accessing freed memory or resources during the removal process. Call Trace: ? ishtp_cl_send+0x168/0x220 [intel_ishtp] ? hid_output_report+0xe3/0x150 [hid] hid_ishtp_set_feature+0xb5/0x120 [intel_ishtp_hid] ishtp_hid_request+0x7b/0xb0 [intel_ishtp_hid] hid_hw_request+0x1f/0x40 [hid] sensor_hub_set_feature+0x11f/0x190 [hid_sensor_hub] _hid_sensor_power_state+0x147/0x1e0 [hid_sensor_trigger] hid_sensor_runtime_resume+0x22/0x30 [hid_sensor_trigger] sensor_hub_remove+0xa8/0xe0 [hid_sensor_hub] hid_device_remove+0x49/0xb0 [hid] hid_destroy_device+0x6f/0x90 [hid] ishtp_hid_remove+0x42/0x70 [intel_ishtp_hid] hid_ishtp_cl_remove+0x6b/0xb0 [intel_ishtp_hid] ishtp_cl_device_remove+0x4a/0x60 [intel_ishtp] ... Additionally, ishtp_hid_remove() is a HID level power off, which should occur before the ISHTP level disconnect. This patch resolves the issue by reordering the calls in hid_ishtp_cl_remove(). The function ishtp_hid_remove() is now called before hid_ishtp_cl_deinit().
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| sles | affected | | |
| rocky | 9 | fixed | |
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 6.12.19-1 |
| debian | sid | fixed | 6.12.19-1 |
| debian | trixie | fixed | 6.12.19-1 |
| almalinux | 9 | fixed | kernel-64k-debug-devel-matched-5.14.0-570.32.1.el9_6.aarch64.rpm |
References
- https://access.redhat.com/errata/RHSA-2025:12746
- https://www.suse.com/security/cve/CVE-2025-21929.html
- https://errata.rockylinux.org/RLSA-2025:12746
- https://security-tracker.debian.org/tracker/CVE-2025-21929
- https://bugzilla.redhat.com/2348516
- https://bugzilla.redhat.com/2356592
- https://bugzilla.redhat.com/2356594
- https://bugzilla.redhat.com/2356624
- https://bugzilla.redhat.com/2360099
- https://bugzilla.redhat.com/2363378
- https://bugzilla.redhat.com/2366848
- https://bugzilla.redhat.com/2373380
- https://bugzilla.redhat.com/2375531
- https://errata.almalinux.org/9/ALSA-2025-12746.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.