HOMEVULNERABILITIESCVE-2026-46213
NONE

CVE-2026-46213

Published: May 28, 2026· Updated: May 28, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.3th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

HID: appletb-kbd: fix UAF in inactivity-timer cleanup path

Commit 38224c472a03 ("HID: appletb-kbd: fix slab use-after-free bug in

appletb_kbd_probe") added timer_delete_sync(&kbd->inactivity_timer) to

both the probe close_hw error path and appletb_kbd_remove(), but the

way it was wired in left the inactivity timer reachable during driver

tear-down via two distinct windows.

Window A -- put_device() before timer_delete_sync():

put_device(&kbd->backlight_dev->dev);

timer_delete_sync(&kbd->inactivity_timer);

The inactivity_timer softirq reads kbd->backlight_dev and calls

backlight_device_set_brightness() -> mutex_lock(&ops_lock). If a

concurrent hid_appletb_bl unbind drops the last devm reference

between these two calls, the backlight_device is freed and the

mutex_lock() touches freed memory.

Window B -- backlight cleanup before hid_hw_stop():

if (kbd->backlight_dev) {

timer_delete_sync(...);

put_device(...);

}

hid_hw_close(hdev);

hid_hw_stop(hdev);

Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run

afterwards, so a late ".event" callback from the HID core (USB URB

completion on real Apple hardware) can arrive after

timer_delete_sync() drained the softirq but before put_device() drops

the reference. That callback reaches reset_inactivity_timer(), which

calls mod_timer() and re-arms the timer. The freshly re-armed timer

can then fire on the about-to-be-freed backlight_device.

Both windows produce the same KASAN slab-use-after-free:

BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0

Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0

Call Trace:

<IRQ>

__mutex_lock

backlight_device_set_brightness

appletb_inactivity_timer

call_timer_fn

run_timer_softirq

handle_softirqs

Allocated by task N:

devm_backlight_device_register

appletb_bl_probe

Freed by task M:

(concurrent hid_appletb_bl unbind path)

Close both windows at once by reworking the tear-down in

appletb_kbd_remove() and in the probe close_hw error path so that

1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,

guaranteeing no further .event callback can fire and re-arm the

timer, and

2) inside the "if (kbd->backlight_dev)" block, timer_delete_sync()

runs before put_device(), so the softirq is drained before the

final reference is dropped.

NVD Source

Technical Analysis

CVE-2026-46213 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
AppleLinux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (3)

Quick Facts

CVE IDCVE-2026-46213
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 28, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-46213 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.