CVE-2025-21929: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove() During the `rmmod` operation for the `intel_ishtp_hid` driver, a use-after-free issue can occur in the hid_ishtp_cl_remove() function. The function hid_ishtp_cl_deinit() is called before ishtp_hid_remove(), which can lead to accessing freed memory or resources during the removal process. Call Trace: ? ishtp_cl_send+0x168/0x220 [intel_ishtp] ? hid_output_report+0xe3/0x150 [hid] hid_ishtp_set_feature+0xb5/0x120 [intel_ishtp_hid] ishtp_hid_request+0x7b/0xb0 [intel_ishtp_hid] hid_hw_request+0x1f/0x40 [hid] sensor_hub_set_feature+0x11f/0x190 [hid_sensor_hub] _hid_sensor_power_state+0x147/0x1e0 [hid_sensor_trigger] hid_sensor_runtime_resume+0x22/0x30 [hid_sensor_trigger] sensor_hub_remove+0xa8/0xe0 [hid_sensor_hub] hid_device_remove+0x49/0xb0 [hid] hid_destroy_device+0x6f/0x90 [hid] ishtp_hid_remove+0x42/0x70 [intel_ishtp_hid] hid_ishtp_cl_remove+0x6b/0xb0 [intel_ishtp_hid] ishtp_cl_device_remove+0x4a/0x60 [intel_ishtp] ... Additionally, ishtp_hid_remove() is a HID level power off, which should occur before the ISHTP level disconnect. This patch resolves the issue by reordering the calls in hid_ishtp_cl_remove(). The function ishtp_hid_remove() is now called before hid_ishtp_cl_deinit().
AI Analysis
Technical Summary
CVE-2025-21929 is a high-severity use-after-free vulnerability found in the Linux kernel, specifically within the intel_ishtp_hid driver, which handles Intel ISH (Integrated Sensor Hub) HID (Human Interface Device) interactions. The flaw occurs during the removal (rmmod) operation of the intel_ishtp_hid kernel module. The root cause is an incorrect order of function calls in the hid_ishtp_cl_remove() function, where hid_ishtp_cl_deinit() is invoked before ishtp_hid_remove(). This leads to a use-after-free condition because ishtp_hid_remove(), which performs a HID-level power off, should be called prior to the ISHTP-level disconnect to safely release resources. The improper sequence causes the system to access freed memory or resources, potentially leading to memory corruption. The vulnerability is classified under CWE-416 (Use After Free). The CVSS v3.1 base score is 7.8 (high), reflecting the vulnerability's potential to impact confidentiality, integrity, and availability with relatively low attack complexity and requiring low privileges but no user interaction. The vulnerability affects specific Linux kernel versions identified by commit hashes, and it has been resolved by reordering the function calls to ensure safe resource deallocation. No known exploits are currently reported in the wild. The vulnerability impacts the Linux kernel's handling of Intel ISH HID devices, which are commonly found in modern laptops and embedded systems that use Intel sensor hubs for device input and sensor data processing.
Potential Impact
For European organizations, this vulnerability poses a significant risk, particularly for enterprises and governmental bodies relying on Linux-based systems with Intel ISH HID drivers enabled. Exploitation could allow a local attacker with low privileges to cause memory corruption, potentially leading to privilege escalation, arbitrary code execution within kernel context, or system crashes (denial of service). This can compromise the confidentiality and integrity of sensitive data and disrupt critical services. Given the widespread use of Linux in servers, workstations, and embedded devices across Europe, especially in sectors like finance, manufacturing, telecommunications, and public administration, the impact could be substantial. Systems running vulnerable kernel versions without the patch are at risk, and the vulnerability could be leveraged as part of multi-stage attacks or lateral movement within networks. The absence of required user interaction facilitates automated exploitation by attackers with local access. Although no public exploits are known yet, the high CVSS score and the nature of the flaw warrant urgent attention to prevent potential future exploitation.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions by applying the official fix that reorders the function calls in hid_ishtp_cl_remove() to prevent use-after-free conditions. System administrators must audit their Linux environments to identify systems running vulnerable kernel versions, especially those with Intel ISH HID drivers enabled. Where immediate patching is not feasible, organizations should restrict local access to trusted users only, implement strict privilege separation, and monitor kernel logs for anomalies related to intel_ishtp_hid module operations. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and enabling security modules like SELinux or AppArmor can reduce exploitation risk. Additionally, organizations should review and tighten module loading/unloading policies to prevent unauthorized rmmod operations. Regular vulnerability scanning and integration of this CVE into threat intelligence feeds will help maintain situational awareness. Finally, testing patches in staging environments before deployment will ensure stability and compatibility.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-21929: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove() During the `rmmod` operation for the `intel_ishtp_hid` driver, a use-after-free issue can occur in the hid_ishtp_cl_remove() function. The function hid_ishtp_cl_deinit() is called before ishtp_hid_remove(), which can lead to accessing freed memory or resources during the removal process. Call Trace: ? ishtp_cl_send+0x168/0x220 [intel_ishtp] ? hid_output_report+0xe3/0x150 [hid] hid_ishtp_set_feature+0xb5/0x120 [intel_ishtp_hid] ishtp_hid_request+0x7b/0xb0 [intel_ishtp_hid] hid_hw_request+0x1f/0x40 [hid] sensor_hub_set_feature+0x11f/0x190 [hid_sensor_hub] _hid_sensor_power_state+0x147/0x1e0 [hid_sensor_trigger] hid_sensor_runtime_resume+0x22/0x30 [hid_sensor_trigger] sensor_hub_remove+0xa8/0xe0 [hid_sensor_hub] hid_device_remove+0x49/0xb0 [hid] hid_destroy_device+0x6f/0x90 [hid] ishtp_hid_remove+0x42/0x70 [intel_ishtp_hid] hid_ishtp_cl_remove+0x6b/0xb0 [intel_ishtp_hid] ishtp_cl_device_remove+0x4a/0x60 [intel_ishtp] ... Additionally, ishtp_hid_remove() is a HID level power off, which should occur before the ISHTP level disconnect. This patch resolves the issue by reordering the calls in hid_ishtp_cl_remove(). The function ishtp_hid_remove() is now called before hid_ishtp_cl_deinit().
AI-Powered Analysis
Technical Analysis
CVE-2025-21929 is a high-severity use-after-free vulnerability found in the Linux kernel, specifically within the intel_ishtp_hid driver, which handles Intel ISH (Integrated Sensor Hub) HID (Human Interface Device) interactions. The flaw occurs during the removal (rmmod) operation of the intel_ishtp_hid kernel module. The root cause is an incorrect order of function calls in the hid_ishtp_cl_remove() function, where hid_ishtp_cl_deinit() is invoked before ishtp_hid_remove(). This leads to a use-after-free condition because ishtp_hid_remove(), which performs a HID-level power off, should be called prior to the ISHTP-level disconnect to safely release resources. The improper sequence causes the system to access freed memory or resources, potentially leading to memory corruption. The vulnerability is classified under CWE-416 (Use After Free). The CVSS v3.1 base score is 7.8 (high), reflecting the vulnerability's potential to impact confidentiality, integrity, and availability with relatively low attack complexity and requiring low privileges but no user interaction. The vulnerability affects specific Linux kernel versions identified by commit hashes, and it has been resolved by reordering the function calls to ensure safe resource deallocation. No known exploits are currently reported in the wild. The vulnerability impacts the Linux kernel's handling of Intel ISH HID devices, which are commonly found in modern laptops and embedded systems that use Intel sensor hubs for device input and sensor data processing.
Potential Impact
For European organizations, this vulnerability poses a significant risk, particularly for enterprises and governmental bodies relying on Linux-based systems with Intel ISH HID drivers enabled. Exploitation could allow a local attacker with low privileges to cause memory corruption, potentially leading to privilege escalation, arbitrary code execution within kernel context, or system crashes (denial of service). This can compromise the confidentiality and integrity of sensitive data and disrupt critical services. Given the widespread use of Linux in servers, workstations, and embedded devices across Europe, especially in sectors like finance, manufacturing, telecommunications, and public administration, the impact could be substantial. Systems running vulnerable kernel versions without the patch are at risk, and the vulnerability could be leveraged as part of multi-stage attacks or lateral movement within networks. The absence of required user interaction facilitates automated exploitation by attackers with local access. Although no public exploits are known yet, the high CVSS score and the nature of the flaw warrant urgent attention to prevent potential future exploitation.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions by applying the official fix that reorders the function calls in hid_ishtp_cl_remove() to prevent use-after-free conditions. System administrators must audit their Linux environments to identify systems running vulnerable kernel versions, especially those with Intel ISH HID drivers enabled. Where immediate patching is not feasible, organizations should restrict local access to trusted users only, implement strict privilege separation, and monitor kernel logs for anomalies related to intel_ishtp_hid module operations. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and enabling security modules like SELinux or AppArmor can reduce exploitation risk. Additionally, organizations should review and tighten module loading/unloading policies to prevent unauthorized rmmod operations. Regular vulnerability scanning and integration of this CVE into threat intelligence feeds will help maintain situational awareness. Finally, testing patches in staging environments before deployment will ensure stability and compatibility.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.789Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8c1c
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 7/3/2025, 4:58:09 AM
Last updated: 8/14/2025, 1:54:30 PM
Views: 15
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.