Linux Kernel mac_hid_toggle_emumouse Race Cond. CVE-2025-68367
CVE-2025-68367 Published on December 24, 2025
macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
In the Linux kernel, the following vulnerability has been resolved:
macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
The following warning appears when running syzkaller, and this issue also
exists in the mainline code.
------------[ cut here ]------------
list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.
WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130
Modules linked in:
CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:__list_add_valid_or_report+0xf7/0x130
RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817
RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001
RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c
R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100
R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48
FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
<TASK>
input_register_handler+0xb3/0x210
mac_hid_start_emulation+0x1c5/0x290
mac_hid_toggle_emumouse+0x20a/0x240
proc_sys_call_handler+0x4c2/0x6e0
new_sync_write+0x1b1/0x2d0
vfs_write+0x709/0x950
ksys_write+0x12a/0x250
do_syscall_64+0x5a/0x110
entry_SYSCALL_64_after_hwframe+0x78/0xe2
The WARNING occurs when two processes concurrently write to the mac-hid
emulation sysctl, causing a race condition in mac_hid_toggle_emumouse().
Both processes read old_val=0, then both try to register the input handler,
leading to a double list_add of the same handler.
CPU0 CPU1
------------------------- -------------------------
vfs_write() //write 1 vfs_write() //write 1
proc_sys_write() proc_sys_write()
mac_hid_toggle_emumouse() mac_hid_toggle_emumouse()
old_val = *valp // old_val=0
old_val = *valp // old_val=0
mutex_lock_killable()
proc_dointvec() // *valp=1
mac_hid_start_emulation()
input_register_handler()
mutex_unlock()
mutex_lock_killable()
proc_dointvec()
mac_hid_start_emulation()
input_register_handler() //Trigger Warning
mutex_unlock()
Fix this by moving the old_val read inside the mutex lock region.
Products Associated with CVE-2025-68367
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Linux Kernel. Just hit a watch button to start following.
Affected Versions
Linux:- Version 99b089c3c38a83ebaeb1cc4584ddcde841626467 and below d5f1d40fd342b589420de7508b4c748fcf28122e is affected.
- Version 99b089c3c38a83ebaeb1cc4584ddcde841626467 and below 14c209835e47a87e6da94bb9401e570dcc14f31f is affected.
- Version 99b089c3c38a83ebaeb1cc4584ddcde841626467 and below 583d36523f56d8e9ddfa0bec20743a6faefc9b74 is affected.
- Version 99b089c3c38a83ebaeb1cc4584ddcde841626467 and below 61abf8c3162d155b4fd0fb251f08557093363a0a is affected.
- Version 99b089c3c38a83ebaeb1cc4584ddcde841626467 and below 230621ffdb361d15cd3ef92d8b4fa8d314f4fad4 is affected.
- Version 99b089c3c38a83ebaeb1cc4584ddcde841626467 and below 388391dd1cc567fcf0b372b63d414c119d23e911 is affected.
- Version 99b089c3c38a83ebaeb1cc4584ddcde841626467 and below 48a7d427eb65922b3f17fbe00e2bbc7cb9eac381 is affected.
- Version 99b089c3c38a83ebaeb1cc4584ddcde841626467 and below 1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f is affected.
- Version 2.6.34 is affected.
- Before 2.6.34 is unaffected.
- Version 5.10.248, <= 5.10.* is unaffected.
- Version 5.15.198, <= 5.15.* is unaffected.
- Version 6.1.160, <= 6.1.* is unaffected.
- Version 6.6.120, <= 6.6.* is unaffected.
- Version 6.12.63, <= 6.12.* is unaffected.
- Version 6.17.13, <= 6.17.* is unaffected.
- Version 6.18.2, <= 6.18.* is unaffected.
- Version 6.19, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.