Skip to main content

Linux Kernel CVE-2026-46213

| EUVDEUVD-2026-32840 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-gmvx-6pfp-7mcv
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 19:22 vuln.today
CVSS changed
Jun 10, 2026 - 19:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

HID: appletb-kbd: fix UAF in inactivity-timer cleanup path

Commit 38224c472a03 ("HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.

Window A -- put_device() before timer_delete_sync():

put_device(&kbd->backlight_dev->dev); timer_delete_sync(&kbd->inactivity_timer);

The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock). If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.

Window B -- backlight cleanup before hid_hw_stop():

if (kbd->backlight_dev) { timer_delete_sync(...); put_device(...); } hid_hw_close(hdev); hid_hw_stop(hdev);

Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late ".event" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference. That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer. The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.

Both windows produce the same KASAN slab-use-after-free:

BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0 Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0 Call Trace: <IRQ> __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq handle_softirqs Allocated by task N: devm_backlight_device_register appletb_bl_probe Freed by task M: (concurrent hid_appletb_bl unbind path)

Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that

  1. hid_hw_close()/hid_hw_stop() run before the backlight cleanup,

guaranteeing no further .event callback can fire and re-arm the timer, and

  1. inside the "if (kbd->backlight_dev)" block, timer_delete_sync()

runs before put_device(), so the softirq is drained before the final reference is dropped.

AnalysisAI

Use-after-free in the Linux kernel's appletb-kbd HID driver allows local low-privileged users on Apple Touch Bar-equipped MacBooks to potentially trigger memory corruption during driver tear-down. The flaw stems from incorrect ordering of timer cleanup and device reference release in the inactivity-timer cleanup path, leaving two race windows where a softirq can dereference freed backlight_device memory. EPSS is very low (0.02%) and no public exploit identified at time of analysis; impact is limited to systems running the appletb-kbd driver, primarily Apple MacBook Pro hardware with Touch Bars.

Technical ContextAI

The vulnerability lies in drivers/hid/appletb-kbd.c, the HID driver for Apple Touch Bar keyboards on Intel-based MacBook Pro models. The root cause is CWE-416 (Use After Free): during driver unbind or probe error rollback, put_device() releasing the backlight_dev reference was called before timer_delete_sync() drained the inactivity_timer softirq, and the backlight teardown ran before hid_hw_close()/hid_hw_stop(), permitting a late HID .event callback to re-arm the timer via reset_inactivity_timer() → mod_timer(). Either race lets appletb_inactivity_timer fire on freed memory and invoke backlight_device_set_brightness() → mutex_lock() against a freed mutex, producing the KASAN slab-use-after-free shown in the report. The fix reorders teardown so HID I/O is stopped first and timer_delete_sync() runs before put_device() inside the backlight_dev guard.

RemediationAI

Vendor-released patch: upgrade to Linux 6.18.32, 7.0.9, or 7.1-rc4 (or later) per the ENISA EUVD listing, which pull in the stable-tree fix commits 4db2af9, 59a79938, and 93d989e4 linked from kernel.org. Distribution kernels should pick up the corresponding stable backport once available; verify your vendor's CVE tracker for the exact package version. As a workaround on systems that do not need Touch Bar keyboard support, blacklist the appletb_kbd module (echo 'blacklist appletb_kbd' > /etc/modprobe.d/appletb-kbd.conf and rebuild initramfs), which fully eliminates the vulnerable code path at the cost of losing function-row keys and brightness control on affected MacBook Pro hardware. Avoid scripted unbind/rebind of hid_appletb_bl on production systems until patched, since the race is only reachable through driver teardown.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46213 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy