HIGH
input LK Keyboard UAF
CVE-2025-71073
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields. lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd structure without preventing the reinit work from being queued again until serio_close() returns. This can allow the work handler to run after the structure has been freed, leading to a potential use-after-free. Use disable_work_sync() instead of cancel_work_sync() to ensure the reinit work cannot be re-queued, and call it both in lkkbd_disconnect() and in lkkbd_connect() error paths after serio_open().
02KernelScan AI Analysis
Risk summary
A race condition in the LK keyboard driver can cause the system to access freed memory when keyboard interrupts occur during device disconnection. This could lead to system crashes or potentially allow local attackers to corrupt kernel memory, though exploitation would require precise timing and physical access to keyboard hardware.
Vulnerability analysis
Root Cause: The lkkbd driver has a race condition between device disconnection/cleanup and work queue execution. When lkkbd_interrupt() schedules work via schedule_work(&lk->tq), the work handler lkkbd_reinit() can execute after the lkkbd structure has been freed in lkkbd_disconnect() or error paths in lkkbd_connect(). The original code only used cancel_work_sync() which cancels pending work but doesn't prevent new work from being queued.
Attack Surface: This vulnerability requires local access to trigger device disconnection or connection errors while the keyboard interrupt handler is active. It affects systems with LK201/LK401 keyboards connected via serial interfaces. The race window is narrow but could be exploited by repeatedly connecting/disconnecting the keyboard device or triggering connection errors.
Fix Mechanism: The patch replaces cancel_work_sync() with disable_work_sync() which both cancels pending work AND prevents new work from being queued. This ensures that after disable_work_sync() returns, no work handler can access the freed lkkbd structure. The fix is applied in both lkkbd_disconnect() and the error path in lkkbd_connect() after serio_open().
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.64 | 3a7cd1397c20 |
| 6.18 | 6.18.3 | cffc4e29b1e2 |
| mainline | 6.19 | e58c88f0cb2d |