CVE-2025-68249

Summary

In the Linux kernel, the following vulnerability has been resolved:

most: usb: hdm_probe: Fix calling put_device() before device initialization

The early error path in hdm_probe() can jump to err_free_mdev before &mdev->dev has been initialized with device_initialize(). Calling put_device(&mdev->dev) there triggers a device core WARN and ends up invoking kref_put(&kobj->kref, kobject_release) on an uninitialized kobject.

In this path the private struct was only kmalloc'ed and the intended release is effectively kfree(mdev) anyway, so free it directly instead of calling put_device() on an uninitialized device.

This removes the WARNING and fixes the pre-initialization error path.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux97a6f772f36b7f52bcfa56a581bbd2470cffe23d < 3509c748e79435d09e730673c8c100b7f0ebc87caffected
LinuxLinux97a6f772f36b7f52bcfa56a581bbd2470cffe23d < ad2be44882716dc3589fbc5572cc13f88ead6b24affected
LinuxLinux97a6f772f36b7f52bcfa56a581bbd2470cffe23d < c400410fe0580dd6118ae8d60287ac9ce71a65fdaffected
LinuxLinux97a6f772f36b7f52bcfa56a581bbd2470cffe23d < 6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95affected
LinuxLinux97a6f772f36b7f52bcfa56a581bbd2470cffe23d < 7d851f746067b8ee5bac9c262f326ace0a6ea253affected
LinuxLinux97a6f772f36b7f52bcfa56a581bbd2470cffe23d < 4af0eedbdb4df7936bf43a28e31af232744d2620affected
LinuxLinux97a6f772f36b7f52bcfa56a581bbd2470cffe23d < a8cc9e5fcb0e2eef21513a4fec888f5712cb8162affected
LinuxLinux5.9affected
LinuxLinux0 < 5.9unaffected
LinuxLinux5.10.246 <= 5.10.*unaffected
LinuxLinux5.15.196 <= 5.15.*unaffected
LinuxLinux6.1.158 <= 6.1.*unaffected
LinuxLinux6.6.115 <= 6.6.*unaffected
LinuxLinux6.12.56 <= 6.12.*unaffected
LinuxLinux6.17.6 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References