CVE-2025-71073 in Linux
Summary
by MITRE • 01/13/2026
In the Linux kernel, the following vulnerability has been resolved:
Input: lkkbd - disable pending work before freeing device
lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields.
lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd structure without preventing the reinit work from being queued again until serio_close() returns. This can allow the work handler to run after the structure has been freed, leading to a potential use-after-free.
Use disable_work_sync() instead of cancel_work_sync() to ensure the reinit work cannot be re-queued, and call it both in lkkbd_disconnect() and in lkkbd_connect() error paths after serio_open().
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/21/2026
The vulnerability described in CVE-2025-71073 represents a critical use-after-free condition within the Linux kernel's lkkbd driver implementation. This flaw manifests in the keyboard input subsystem where the lkkbd_interrupt() function schedules a work queue task through schedule_work() to handle reinitialization operations. The work handler lkkbd_reinit() subsequently dereferences the lkkbd structure along with its associated serio and input_dev fields, creating a dangerous dependency on memory that may have already been deallocated.
The technical execution path leading to this vulnerability involves a race condition between the work scheduling mechanism and the device disconnection process. When lkkbd_disconnect() or error handling paths in lkkbd_connect() execute, they free the lkkbd structure without properly ensuring that the pending reinit work cannot be queued again. This sequence allows the work handler to potentially execute after the memory has been freed, resulting in undefined behavior and potential privilege escalation opportunities. The flaw specifically affects the keyboard input driver and demonstrates poor resource management practices in kernel space.
This vulnerability directly maps to CWE-416, which describes the use of freed memory condition, and aligns with ATT&CK technique T1068, which involves exploiting local privilege escalation vulnerabilities. The operational impact extends beyond simple system instability to potentially enable malicious actors to execute arbitrary code with kernel-level privileges, particularly when exploiting the timing window between work queue scheduling and memory deallocation. The vulnerability affects systems utilizing the lkkbd driver and could compromise the integrity of input device management across affected kernel versions.
The recommended mitigation strategy involves implementing disable_work_sync() instead of cancel_work_sync() to ensure that the reinit work cannot be re-queued after the lkkbd structure has been freed. This fix requires calling disable_work_sync() in both lkkbd_disconnect() and lkkbd_connect() error paths, specifically after serio_open() operations. The solution addresses the root cause by preventing the work queue from being re-scheduled during cleanup operations, thereby eliminating the race condition that enables the use-after-free scenario. This approach aligns with kernel security best practices for managing work queue lifecycles and demonstrates proper resource management in kernel drivers.