CVE-2025-68312 in Linux
Summary
by MITRE • 12/16/2025
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Prevents free active kevent
The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the "free active object (kevent)" error reported here.
2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed.
The solution to this problem is to cancel the kevent before executing free_netdev().
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/24/2026
This vulnerability exists within the Linux kernel's usbnet driver implementation and represents a critical race condition that can lead to system instability and potential memory corruption. The flaw manifests when the usbnet network device is being torn down during the disconnection process, specifically when the device is in an inconsistent state where kernel work items are still active but the network device structure is being freed. The vulnerability is classified under CWE-362, which deals with race conditions, and aligns with ATT&CK technique T1059.003 for execution through kernel modules, making it particularly concerning for system integrity and availability. The root cause stems from improper synchronization between device state management and kernel work queue operations within the usbnet subsystem.
The technical implementation of this vulnerability occurs during the usbnet device disconnection sequence where the driver fails to properly manage the lifecycle of kernel work items. When usbnet_probe() executes usbnet_link_change() with parameters (0, 0), it schedules a kevent work item onto the global workqueue for processing. However, the timing window between this scheduling and the subsequent device unregistration creates a critical race condition. The device registration process does not wait for the kevent work to complete before proceeding to cleanup operations, and the subsequent call to free_netdev() attempts to free memory structures that are still actively referenced by the scheduled work item. This creates the classic "free active object" scenario where memory is deallocated while still being in use, leading to undefined behavior and potential system crashes.
The operational impact of CVE-2025-68312 extends beyond simple device disconnection failures to potentially compromise entire system stability when USB network devices are hot-plugged or disconnected during active network operations. This vulnerability affects systems running Linux kernel versions where the usbnet driver lacks proper work item cancellation before device cleanup, particularly impacting embedded systems, servers, and desktop environments that rely on USB networking capabilities. The race condition can be triggered repeatedly during device hot-plugging scenarios, making it a persistent threat to system reliability. Attackers could potentially exploit this vulnerability to cause denial of service conditions or, in more sophisticated scenarios, to execute arbitrary code through carefully crafted USB device sequences that manipulate the timing of device registration and unregistration processes.
Mitigation strategies for this vulnerability require kernel-level patches that ensure proper work item cancellation before device structure cleanup occurs. The recommended fix involves implementing explicit cancellation of pending kevent work items within the usbnet_disconnect() function before calling unregister_netdev() and free_netdev(). System administrators should prioritize kernel updates to versions containing the patched usbnet driver implementation, particularly focusing on the specific workqueue management and device state synchronization mechanisms. Additionally, monitoring systems for unusual device disconnection patterns or kernel memory corruption indicators can help detect exploitation attempts. Organizations should also implement proper USB device access controls and consider disabling unnecessary USB networking capabilities in environments where such vulnerabilities pose significant risks. The fix aligns with security best practices for kernel module development and addresses the fundamental race condition through proper resource management and synchronization primitives as recommended in the Linux kernel security guidelines and CERT/CC advisories for kernel-level vulnerabilities.