high
7.8
CWE
416
Advisory Published
Updated

CVE-2025-21923: HID: hid-steam: Fix use-after-free when detaching device

First published: Tue Apr 01 2025(Updated: )

In the Linux kernel, the following vulnerability has been resolved: HID: hid-steam: Fix use-after-free when detaching device When a hid-steam device is removed it must clean up the client_hdev used for intercepting hidraw access. This can lead to scheduling deferred work to reattach the input device. Though the cleanup cancels the deferred work, this was done before the client_hdev itself is cleaned up, so it gets rescheduled. This patch fixes the ordering to make sure the deferred work is properly canceled.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected SoftwareAffected VersionHow to fix
Linux Kernel
Linux Kernel>=6.6.79<6.6.83
Linux Kernel>=6.12.16<6.12.19
Linux Kernel>=6.13.4<6.13.7

Remedy

https://git.kernel.org/stable/c/026714ec7546de741826324a6a1914c91024d06c

Remedy

https://git.kernel.org/stable/c/a899adf7063c6745aaff1ec869f3c7f6329ed0a1

Remedy

https://git.kernel.org/stable/c/e53fc232a65f7488ab75d03a5b95f06aaada7262

Remedy

https://git.kernel.org/stable/c/ea3f18d2f02629653b7bfe42607737ccd1343e54

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2025-21923?

    CVE-2025-21923 has been assigned a medium severity rating due to the potential for a use-after-free vulnerability leading to unexpected behavior.

  • How do I fix CVE-2025-21923?

    To fix CVE-2025-21923, ensure your Linux Kernel is updated to the latest version that includes the patch addressing this vulnerability.

  • What systems are affected by CVE-2025-21923?

    CVE-2025-21923 affects the Linux Kernel, specifically concerning the hid-steam device driver.

  • Can CVE-2025-21923 be exploited remotely?

    CVE-2025-21923 cannot be exploited remotely as it requires physical access to the system to detach the device.

  • What are the consequences of CVE-2025-21923 if exploited?

    Exploiting CVE-2025-21923 could lead to arbitrary code execution or denial of service due to the use-after-free error.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203