CVE-2025-40211

Summary

In the Linux kernel, the following vulnerability has been resolved:

ACPI: video: Fix use-after-free in acpi_video_switch_brightness()

The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal.

If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight.

Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed.

[ rjw: Changelog edit ]

Affected Software

VendorProductVersion RangeStatus
LinuxLinux8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 < 3f803ccf5a0c043e7c8b83f6665b082401fc8beeaffected
LinuxLinux8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 < ba1704316492a0496c69334338ea1fdbf4c2fd34affected
LinuxLinux8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 < bc78a4f51d548c1ccc3d1967c2b394bf687c86e9affected
LinuxLinux8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 < a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9affected
LinuxLinux8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 < 4e85246ec0d019dfba86ba54d841ef6694f97149affected
LinuxLinux8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 < de5fc93275a4a459fe2f7cb746984f2ab3e8292aaffected
LinuxLinux8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 < 293125536ef5521328815fa7c76d5f9eb1635659affected
LinuxLinux8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 < 8f067aa59430266386b83c18b983ca583faa6a11affected
LinuxLinux3.17affected
LinuxLinux0 < 3.17unaffected
LinuxLinux5.4.302 <= 5.4.*unaffected
LinuxLinux5.10.247 <= 5.10.*unaffected
LinuxLinux5.15.197 <= 5.15.*unaffected
LinuxLinux6.1.159 <= 6.1.*unaffected
LinuxLinux6.6.117 <= 6.6.*unaffected
LinuxLinux6.12.58 <= 6.12.*unaffected
LinuxLinux6.17.8 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References