CVE-2025-38253 in Linuxinfo

Summary

by MITRE • 07/09/2025

In the Linux kernel, the following vulnerability has been resolved:

HID: wacom: fix crash in wacom_aes_battery_handler()

Commit fd2a9b29dc9c ("HID: wacom: Remove AES power_supply after extended inactivity") introduced wacom_aes_battery_handler() which is scheduled as a delayed work (aes_battery_work).

In wacom_remove(), aes_battery_work is not canceled. Consequently, if the device is removed while aes_battery_work is still pending, then hard crashes or "Oops: general protection fault..." are experienced when wacom_aes_battery_handler() is finally called. E.g., this happens with built-in USB devices after resume from hibernate when aes_battery_work was still pending at the time of hibernation.

So, take care to cancel aes_battery_work in wacom_remove().

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/02/2026

The vulnerability CVE-2025-38253 represents a critical kernel-level race condition in the Linux HID subsystem specifically affecting Wacom tablet devices. This flaw exists within the wacom driver implementation where the aes_battery_handler function is scheduled as delayed work through the aes_battery_work mechanism. The issue stems from improper cleanup procedures during device removal operations, creating a scenario where kernel memory corruption can occur when pending work items execute after device unregistration. The vulnerability manifests as system crashes or general protection faults, indicating a serious violation of kernel memory management principles that could lead to system instability or potential privilege escalation.

The technical root cause of this vulnerability lies in the incomplete device removal handling within the wacom driver's cleanup routine. When wacom_remove() function is invoked during device removal, it fails to properly cancel the previously scheduled aes_battery_work delayed work item. This oversight creates a race condition where the work item may still be pending in the kernel workqueue when the device is removed, leading to execution of wacom_aes_battery_handler() against already freed or invalidated device structures. The problem is particularly pronounced during system resume from hibernation states where the work item was pending at hibernation time but executes upon wake-up, causing memory access violations. This represents a classic example of improper resource cleanup in kernel drivers, falling under CWE-459 which describes "Incomplete Cleanup" vulnerabilities.

The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise system stability and security. Attackers could exploit this vulnerability to cause denial of service conditions through repeated device removal and insertion cycles, or potentially trigger more severe memory corruption issues that could be leveraged for privilege escalation. The vulnerability affects systems running Linux kernels with the affected Wacom driver code, particularly those utilizing built-in USB devices that undergo hibernation cycles. During resume operations from hibernation, the system's power management subsystem interacts with the Wacom driver in a way that exposes this race condition, making it particularly dangerous in laptop and mobile environments where hibernation is commonly used. The general protection fault errors indicate that the kernel's memory management subsystem is encountering invalid memory references during the execution of the pending work item.

Mitigation strategies for this vulnerability require immediate kernel updates from vendors who have patched the affected code. The fix implemented in commit fd2a9b29dc9c addresses the issue by ensuring proper cancellation of the aes_battery_work in the wacom_remove() function before device structures are freed. System administrators should prioritize applying the patched kernel versions to eliminate the risk of exploitation. Additionally, monitoring for system crashes or general protection faults during hibernation resume cycles can help identify systems that may not have received the patch. Organizations should also consider implementing device management policies that minimize frequent device removal and insertion operations, particularly in environments where hibernation is actively used. The vulnerability demonstrates the importance of proper kernel driver resource management and highlights the need for thorough testing of power management operations, aligning with ATT&CK technique T1068 which covers 'Exploitation for Privilege Escalation' through kernel vulnerabilities and T1490 which covers 'Inhibit System Recovery' through denial of service attacks.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00136

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!