Acknowledged
Created: Jan 13, 2026
Updated: Jan 26, 2026
Resolved Date: Jan 25, 2026
Found In Version: 10.21.20.2
Severity: Standard
Applicable for: Wind River Linux LTS 21
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:
Input: lkkbd - disable pending work before freeing device
lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work
handler lkkbd_reinit() dereferences the lkkbd structure and its
serio/input_dev fields.
lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd
structure without preventing the reinit work from being queued again
until serio_close() returns. This can allow the work handler to run
after the structure has been freed, leading to a potential use-after-free.
Use disable_work_sync() instead of cancel_work_sync() to ensure the
reinit work cannot be re-queued, and call it both in lkkbd_disconnect()
and in lkkbd_connect() error paths after serio_open().
========Wind River Notice========
Mitigation:
Disable the kernel Module CONFIG_KEYBOARD_LKKBD ("DECstation/VAXstation LK201/LK401 keyboard") which is not used widely and is not enabled by default.
