LiveActive security incident?Get immediate response
CVE Record

CVE-2025-68312: usbnet: Prevents free active kevent

In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the "free active object (kevent)" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2025-68312 is a Linux kernel usbnet cleanup flaw. During USB network device removal, queued work can remain active while the network device is freed, producing a kernel “free active object” error. Public sources do not provide a CVSS score or exploitation evidence.

Executive priority

Treat as a kernel maintenance item until severity is clarified. Prioritize patch validation for fleets using USB networking, kiosks, labs, embedded Linux, and systems where untrusted USB devices can be attached.

Technical view

In usbnet, usbnet_link_change() can queue kevent during probe. If the device is unregistered before that work runs, free_netdev() may free the object. When the interface is not up, ndo_stop() does not cancel kevent. The kernel fix cancels kevent before free_netdev().

Likely exposure

Linux systems using the usbnet driver or USB network adapters are the most relevant exposure. The CVE record lists Linux kernel versions and stable commits, but no CPEs. Distribution backports may change apparent version exposure.

Exploitation context

No KEV listing is present, and the provided sources do not claim active exploitation. Sources describe a lifecycle race during usbnet probe, disconnect, unregister, and cleanup. They do not describe remote exploitation or an attacker prerequisite.

Researcher notes

Evidence is limited to the CVE text and Linux stable commit references. There is no CVSS, CWE, CPE, or public exploit claim in the provided bundle. Validate distro-specific impact because kernel vendors frequently backport fixes without changing upstream version numbers.

Mitigation direction

  • Check your Linux distribution or kernel vendor advisory for CVE-2025-68312 status.
  • Update to a kernel containing the referenced usbnet stable fix.
  • Prioritize systems that use USB network adapters or expose USB device attachment.
  • If patching is delayed, reduce unnecessary USB network device usage where operationally feasible.

Validation and detection

  • Inventory Linux kernel versions across servers, workstations, appliances, and embedded devices.
  • Identify systems loading or depending on the usbnet driver.
  • Compare deployed kernels with vendor advisories and referenced stable commits.
  • Confirm patched kernels include the kevent cancellation before free_netdev().
  • Monitor kernel logs for related usbnet cleanup or free active object errors.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-68312 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux8b4588b8b00b299be16a35be67b331d8fdba03f3, 135199a2edd459d2b123144efcd7f9bcd95128e4, 635fd8953e4309b54ca6a81bed1d4a87668694f4, a69e617e533edddf3fa3123149900f36e0a6dc74, a69e617e533edddf3fa3123149900f36e0a6dc74, a69e617e533edddf3fa3123149900f36e0a6dc74, a69e617e533edddf3fa3123149900f36e0a6dc74, a69e617e533edddf3fa3123149900f36e0a6dc74, d2d6b530d89b0a912148018027386aa049f0a309, e2a521a7dcc463c5017b4426ca0804e151faeff7, 7f77dcbc030c2faa6d8e8a594985eeb34018409e, d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f, db3b738ae5f726204876f4303c49cfdf4311403f, 5.4.211, 5.10.137, 5.15.61, 4.9.326, 4.14.291, 4.19.256, 5.18.18, 5.19.2unaffected
LinuxLinux6.0, 0, 5.4.302, 5.10.247, 5.15.197, 6.1.159, 6.6.117, 6.12.58, 6.17.8, 6.18affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.