CVE-2026-46202: Linux Kernel hid-appletb-kbd Mutex Context Bug—Medium Severity Denial of Service
A locking bug in the Linux kernel's Apple Touch Bar keyboard driver (hid-appletb-kbd) causes the system to attempt sleeping operations from atomic (interrupt) contexts where sleeping is forbidden. The bug occurs in two code paths that adjust keyboard backlight brightness: a periodic inactivity timer and a user-activity reset handler. Both trigger calls to the backlight subsystem's brightness function, which tries to acquire a mutex while running in softirq or IRQ context, causing kernel warnings and potential system instability. The fix moves these blocking operations to a workqueue, allowing them to run safely in process context.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: run inactivity autodim from workqueues The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts: * appletb_inactivity_timer() is a struct timer_list callback, so it runs in softirq context. Every expiry triggers BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591 Call Trace: <IRQ> __might_resched __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq * reset_inactivity_timer() is called from appletb_kbd_hid_event() and appletb_kbd_inp_event(). On real USB hardware these run in softirq/IRQ context (URB completion and input-event dispatch). When the Touch Bar has already been dimmed or turned off, the reset path calls backlight_device_set_brightness() directly to restore brightness, producing the same warning. Both call sites hit the same mutex_lock()-from-atomic bug. Fix them together by moving the blocking work onto the system workqueue: * Convert the inactivity timer from struct timer_list to struct delayed_work; the callback (appletb_inactivity_work) now runs in process context where mutex_lock() is legal. * Add a dedicated struct work_struct restore_brightness_work and have reset_inactivity_timer() schedule it instead of calling backlight_device_set_brightness() directly. Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop. The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes. The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as "reset the inactivity timer".
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from a context-switching violation in hid-appletb-kbd's brightness management. The appletb_inactivity_timer() callback executes as a timer_list handler in softirq context and invokes backlight_device_set_brightness(), which attempts mutex_lock() on backlight_device->ops_lock—an illegal operation from atomic context. Similarly, reset_inactivity_timer() is called from hid event handlers running in URB completion (IRQ) and input dispatch (softirq) contexts, and when restoring brightness after dim/off states, it also calls backlight_device_set_brightness() directly from atomic context. The resolution converts the inactivity timer to a delayed_work structure that executes in process context, and adds a separate work_struct for brightness restoration, eliminating the atomic-context mutex acquisition. Both work items are cancelled synchronously during driver teardown.
Business impact
This is a kernel stability issue affecting systems with Apple Touch Bar keyboards on Linux. The primary impact is system reliability: the bug triggers BUG warnings and could lead to kernel panics, unexpected hangs, or scheduler warnings that degrade user experience and system availability. For enterprise deployments or mission-critical systems running Linux on compatible hardware, unpatched kernels may exhibit sporadic crashes during keyboard use. The issue does not expose data or enable privilege escalation; the impact is functional availability of the keyboard and overall system stability.
Affected systems
The vulnerability affects the Linux kernel's hid-appletb-kbd driver, which supports Apple Touch Bar keyboard input and brightness control on systems running compatible Linux distributions. This includes Linux-based systems with Apple hardware using the Touch Bar (primarily newer MacBooks running Linux in dual-boot or natively). The vulnerability is present in kernels containing the affected code path and will manifest on any system that uses the appletb-kbd driver actively (particularly when keyboard inactivity timeouts or brightness restoration events occur).
Exploitability
This is a kernel panic/denial-of-service vector rather than a remote or privilege-escalation vulnerability. Exploitation requires local system access and depends on triggering keyboard inactivity or user-activity events while the driver is loaded. An unprivileged user cannot remotely or easily trigger the bug; a local attacker with keyboard access can induce brightness state changes or wait for inactivity timeouts to occur, potentially causing kernel warnings or instability. The CVSS 5.5 MEDIUM score reflects the local attack vector, low attack complexity, and denial-of-service impact with no confidentiality or integrity breach.
Remediation
Update to a patched Linux kernel that includes the fix converting inactivity timer and brightness restoration to workqueue-based execution. Verify the kernel version in your distribution's advisory against the vendor's patches. Alternatively, users dependent on the Touch Bar keyboard may disable the driver or avoid extended inactivity to reduce the likelihood of triggering the bug until patched, though this is a workaround rather than a fix. The patch is non-invasive and preserves all existing behavior and timing semantics.
Patch guidance
Check your Linux distribution's kernel security advisory for the version that incorporates the hid-appletb-kbd fix. The fix involves converting appletb_inactivity_timer from a timer_list callback to a delayed_work handler (appletb_inactivity_work), adding a restore_brightness_work structure, and modifying reset_inactivity_timer() to schedule the work instead of calling backlight_device_set_brightness() directly. When a patched kernel is released, standard kernel update procedures (apt, yum, etc.) will deliver the fix. Test after upgrade to confirm the keyboard and backlight functionality operate without warnings in kernel logs.
Detection guidance
Monitor kernel logs (dmesg, journalctl) for the specific error pattern: 'BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591' combined with stack traces mentioning appletb_inactivity_timer(), reset_inactivity_timer(), or backlight_device_set_brightness(). Systems exhibiting these warnings are running vulnerable code. Check kernel version and hid-appletb-kbd driver status with 'uname -r' and 'lsmod | grep appletb' to confirm the driver is loaded. Correlate log timestamps with keyboard inactivity or brightness change events to confirm the bug is being triggered.
Why prioritize this
Prioritize based on deployment model: if your organization supports Apple hardware running Linux, or if you operate systems with Touch Bar keyboards, this ranks as medium-priority for patching because it affects local system stability. For most enterprise environments without Apple Touch Bar hardware, this is lower priority but should still be included in regular kernel patching cycles. The fact that it is not currently on the CISA KEV list suggests active exploitation in the wild is not documented, reducing urgency. However, any Linux system running an affected kernel version should patch during planned maintenance windows to prevent unexpected kernel warnings or crashes.
Risk score, explained
The CVSS 5.5 MEDIUM score reflects: local attack vector (requires system access), low attack complexity (keyboard events are routine), low privileges required, and high availability impact (denial of service via kernel panic or warning floods). No confidentiality or integrity impact offsets the denial-of-service risk. The score appropriately captures a stability issue that is annoying and potentially disruptive but not exploitable for data theft or privilege escalation. For organizations with Apple Touch Bar Linux deployments, the practical risk may be higher due to system stability implications.
Frequently asked questions
Does this vulnerability allow privilege escalation or data theft?
No. The vulnerability is a kernel context-switching bug that causes sleeping operations to occur from atomic (interrupt) contexts, resulting in kernel warnings and potential panics. It does not enable unauthorized access to system data, privilege escalation, or authentication bypass. The only impact is denial of service through system instability.
Which Linux systems are affected?
Systems running Linux with Apple Touch Bar keyboard hardware (primarily newer MacBooks) are affected if they load the hid-appletb-kbd driver and the kernel version contains the vulnerable code. Check with 'lsmod | grep appletb' to confirm the driver is loaded. Most server and non-Apple hardware installations are unaffected.
Can this be triggered remotely?
No. The bug requires local system access and is triggered by keyboard activity or inactivity timeouts on the affected hardware. Remote attackers cannot trigger it.
What should I do if I see the 'sleeping function called from invalid context' warning?
Update your Linux kernel to a patched version released by your distribution. The warning indicates you are running a vulnerable version. Until patched, avoid extended keyboard inactivity or excessive brightness changes to minimize triggering the bug, but this is not a permanent fix.
This analysis is based on the published CVE record and kernel advisory as of the modification date. Security assessments are subject to change as new information emerges. Patch availability and version numbers vary by Linux distribution; consult your vendor's security advisory for specific update guidance. Testing in non-production environments is recommended before deploying kernel patches. This vulnerability is not currently tracked on the CISA KEV list; active exploitation in the wild has not been documented at the time of publication. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure