PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46213 Linux CVE debrief

A use-after-free (UAF) vulnerability exists in the Linux kernel's HID appletb-kbd driver, specifically in the inactivity-timer cleanup path during driver teardown. The flaw stems from two distinct race windows where the inactivity timer remains reachable after resources are freed. Window A occurs when put_device() is called before timer_delete_sync(), allowing the timer softirq to access a freed backlight_device. Window B occurs when backlight cleanup happens before hid_hw_stop(), permitting a late HID event callback to re-arm the timer after it was supposedly drained. Both windows trigger KASAN slab-use-after-free errors when the timer fires and attempts to lock a mutex on freed memory. The vulnerability was introduced by an incomplete fix in commit 38224c472a03. The resolution restructures teardown to ensure hid_hw_close()/hid_hw_stop() execute before backlight cleanup, and timer_delete_sync() runs before put_device() within the backlight cleanup block.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Linux kernel maintainers, system administrators running Linux on Apple hardware with Magic Keyboards, embedded Linux developers using HID subsystem drivers, and security teams tracking kernel memory safety vulnerabilities

Technical summary

The hid_appletb_kbd driver for Apple Magic Keyboard contains a use-after-free vulnerability in its teardown path. The inactivity_timer, which manages backlight dimming after keyboard inactivity, can access freed memory through two race conditions. First, if the backlight_device reference is dropped before the timer is synchronized, the timer softirq may call backlight_device_set_brightness() on freed memory. Second, if HID hardware operations are stopped after backlight cleanup, a late HID event can re-arm the timer after synchronization but before device release. The fix reorders operations to guarantee no HID callbacks can fire before timer cleanup, and ensures timer synchronization completes before the final device reference is dropped.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable tree commits 4db2af929279c799b5653a39eb0795c72baffca4, 59a79938ca5541fe55d675304116b7ea684afef0, and 93d989e47bc316c793a69c6a332e053c90e29f02
  • Prioritize patching systems with Apple Magic Keyboard hardware using the hid_appletb_kbd driver
  • Monitor for kernel updates from distribution vendors incorporating these stable tree fixes
  • Review custom kernel builds for presence of vulnerable appletb-kbd driver code
  • Consider disabling the appletb-kbd driver on non-Apple hardware where not required

Evidence notes

The CVE description provides detailed technical analysis including commit references, specific code paths, and KASAN stack traces. Three kernel.org stable tree commits are cited as references. The vulnerability was disclosed via NVD on 2026-05-28 with status 'Awaiting Analysis'. No CVSS score or severity rating has been assigned.

Official resources

2026-05-28