CVE-2026-46202

MEDIUM EPSS 2.8%
Published May 28, 20261mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published May 28, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: run inactivity autodim from workqueues The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts: * appletb_inactivity_timer() is a struct timer_list callback, so it runs in softirq context. Every expiry triggers BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591 Call Trace: <IRQ> __might_resched __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq * reset_inactivity_timer() is called from appletb_kbd_hid_event() and appletb_kbd_inp_event(). On real USB hardware these run in softirq/IRQ context (URB completion and input-event dispatch). When the Touch Bar has already been dimmed or turned off, the reset path calls backlight_device_set_brightness() directly to restore brightness, producing the same warning. Both call sites hit the same mutex_lock()-from-atomic bug. Fix them together by moving the blocking work onto the system workqueue: * Convert the inactivity timer from struct timer_list to struct delayed_work; the callback (appletb_inactivity_work) now runs in process context where mutex_lock() is legal. * Add a dedicated struct work_struct restore_brightness_work and have reset_inactivity_timer() schedule it instead of calling backlight_device_set_brightness() directly. Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop. The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes. The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as "reset the inactivity timer".

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥6.15  –  <6.18.32
linuxlinux_kernel*≥6.19  –  <7.0.9
linuxlinux_kernel7.1any
linuxlinux_kernel7.1any
linuxlinux_kernel7.1any

References 3

  • git.kernel.org https://git.kernel.org/stable/c/1654e53349d4e657b331de354313461f401f5063
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2473a334c292af257ef68e33bc7760f4a8251812
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5c0830323689ef15224f0025276176988861b3b0
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1654e53349d4e657b331de354313461f401f5063
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2473a334c292af257ef68e33bc7760f4a8251812
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5c0830323689ef15224f0025276176988861b3b0
    Patch