CVE-2026-46213: Linux Kernel appletb-kbd Use-After-Free Vulnerability (CVSS 7.8)
A use-after-free vulnerability exists in the Linux kernel's Apple keyboard HID driver (appletb-kbd). When the driver unloads or encounters an error during initialization, a cleanup race condition allows a timer callback to access freed memory. The timer can fire after the backlight device is deallocated but before the driver has fully stopped listening for hardware events, causing kernel memory corruption. An attacker with local access and the ability to trigger driver unload or timing conditions could crash the system or potentially execute code with kernel privileges.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 8 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: fix UAF in inactivity-timer cleanup path Commit 38224c472a03 ("HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows. Window A -- put_device() before timer_delete_sync(): put_device(&kbd->backlight_dev->dev); timer_delete_sync(&kbd->inactivity_timer); The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock). If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory. Window B -- backlight cleanup before hid_hw_stop(): if (kbd->backlight_dev) { timer_delete_sync(...); put_device(...); } hid_hw_close(hdev); hid_hw_stop(hdev); Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late ".event" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference. That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer. The freshly re-armed timer can then fire on the about-to-be-freed backlight_device. Both windows produce the same KASAN slab-use-after-free: BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0 Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0 Call Trace: <IRQ> __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq handle_softirqs Allocated by task N: devm_backlight_device_register appletb_bl_probe Freed by task M: (concurrent hid_appletb_bl unbind path) Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that 1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup, guaranteeing no further .event callback can fire and re-arm the timer, and 2) inside the "if (kbd->backlight_dev)" block, timer_delete_sync() runs before put_device(), so the softirq is drained before the final reference is dropped.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46213 is a use-after-free (UAF) vulnerability in the appletb-kbd HID driver's inactivity timer cleanup path. The vulnerability arises from a race condition with two distinct windows. Window A occurs when put_device() is called before timer_delete_sync(), allowing the inactivity_timer softirq to read a freed kbd->backlight_dev and call backlight_device_set_brightness(), which attempts to acquire a mutex on already-freed memory. Window B allows a late .event callback from the HID core to arrive after timer_delete_sync() completes but before hid_hw_stop(), permitting the callback to call reset_inactivity_timer() and re-arm the timer on the about-to-be-freed backlight device. The fix reorders teardown operations so that hid_hw_close()/hid_hw_stop() execute before backlight cleanup, and timer_delete_sync() runs before put_device() to ensure the softirq is drained before the final reference is dropped.
Business impact
This vulnerability affects system stability on deployments running affected Linux kernel versions with Apple keyboards attached or supported. Exploitation could lead to kernel panics, system hangs, or potential privilege escalation in multi-tenant or shared-access environments. Organizations relying on Apple hardware with Linux must prioritize patching to prevent denial of service and maintain system availability. The local-access requirement limits blast radius but does not eliminate risk in shared hosting, containerized, or multi-user environments.
Affected systems
Linux kernel systems with the appletb-kbd HID driver compiled or loaded. The vulnerability specifically affects driver initialization and teardown paths, making any system that loads this driver vulnerable during those critical transitions. This primarily impacts Apple hardware running Linux, including MacBook devices with integrated keyboards. The presence of the driver does not require active keyboard input; vulnerability windows are triggered during driver load/unload operations.
Exploitability
Exploitation requires local system access and the ability to trigger driver unload sequences or probe-path errors. An unprivileged local user can force driver reload through sysfs or by unbinding/rebinding the device, creating the race window. No user interaction is required beyond these administrative actions. The race condition is timing-dependent, which may affect reliability across different hardware configurations and kernel compile options. Public exploit code has not been added to the Known Exploited Vulnerabilities (KEV) catalog as of the information cutoff.
Remediation
Apply a patched kernel version that reorders the appletb-kbd driver teardown sequence to close both race windows. Verify against the vendor advisory or kernel security bulletin for the specific patched version applicable to your kernel series. Systems should prioritize applying updates to the affected kernel components as soon as patches are available through distribution channels. In interim mitigation, avoid frequent driver reload cycles and monitor for kernel UAF messages (KASAN output) in system logs.
Patch guidance
Consult the Linux kernel security advisory and your distribution's update channels for patched kernel versions addressing this vulnerability. Verify that the patch incorporates both race-condition fixes: reordering hid_hw_close()/hid_hw_stop() before backlight cleanup, and ensuring timer_delete_sync() precedes put_device(). Test patched kernels in a non-production environment before deployment. Consider enabling KASAN in development/staging environments to catch similar UAF issues early.
Detection guidance
Monitor kernel logs for KASAN slab-use-after-free messages mentioning __mutex_lock, backlight_device_set_brightness, or appletb_inactivity_timer. Kernel crash dumps referencing appletb-kbd driver teardown or the inactivity timer are indicative. Use CONFIG_KASAN if available to increase likelihood of catching the condition. Correlate crashes with driver reload/unbind events to identify exploitation attempts. EDR and kernel-level logging tools should flag processes triggering HID driver unload sequences in rapid succession.
Why prioritize this
HIGH severity (CVSS 7.8) due to local kernel code execution potential, but mitigated by local-access requirement and lack of public exploit availability. Prioritize based on: (1) whether your systems run Apple hardware with this driver active, (2) frequency of driver unload operations in your environment, and (3) whether unprivileged users can trigger driver reload. Multi-user and containerized environments should prioritize higher; single-user desktops may defer slightly, but should not delay indefinitely.
Risk score, explained
CVSS 3.1 score of 7.8 (HIGH) reflects: Attack Vector Local (AV:L) — requires local system access; Attack Complexity Low (AC:L) — race window is reliably triggerable; Privileges Required Low (PR:L) — unprivileged user can unbind/rebind drivers; User Interaction None (UI:N) — no user action needed beyond administrative commands; Scope Unchanged (S:U); Confidentiality, Integrity, Availability all High (C:H/I:H/A:H) — kernel memory corruption enables data theft, system modification, and denial of service. The score appropriately reflects kernel-level impact despite local-only access.
Frequently asked questions
Does this vulnerability require the Apple keyboard to be actively connected?
No. The vulnerability is triggered during driver load/unload operations, not during keyboard input. A system with the appletb-kbd driver compiled or loaded is vulnerable during teardown sequences, regardless of whether the keyboard is currently connected. However, active hardware may increase the likelihood of triggering the race condition.
Can this be exploited remotely?
No. CVE-2026-46213 requires local system access. An attacker must be able to execute commands on the target system or have the ability to manipulate sysfs to trigger driver unload. Remote exploitation is not possible through this vulnerability alone.
What should I do if I cannot immediately patch?
Minimize the frequency of appletb-kbd driver reload/unbind operations. If the driver is not essential to your workload, consider disabling it via kernel boot parameters or blacklisting the module. Monitor kernel logs for KASAN warnings. If you run multi-user systems, restrict physical access to machines and audit sysfs access permissions to prevent unprivileged users from triggering driver unload.
Will my system crash if I run the vulnerable kernel?
Not necessarily during normal operation. The vulnerability requires a specific race condition to be triggered, which occurs during driver load/unload or error paths in probe. Systems that boot once and never reload the driver are at lower risk, though the risk is non-zero if any driver unbind/rebind operations occur automatically or via user action.
This analysis is provided for informational purposes. SEC.co does not guarantee the accuracy, completeness, or timeliness of vulnerability data. Patch version numbers and exact affected ranges should be verified against official Linux kernel security advisories and your distribution's release notes before deploying patches. Organizations should conduct their own risk assessment based on their specific hardware, kernel configuration, and operational environment. No exploit code or detailed proof-of-concept is provided to prevent malicious use. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance