CVE-2025-21797
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's Corsair VOID headset driver occurs when the device is disconnected without properly canceling delayed work. This can lead to kernel memory corruption and potential system crashes or privilege escalation. Affects Linux systems using Corsair VOID wireless headsets with the vulnerable driver.
💻 Affected Systems
- Linux kernel with corsair-void HID driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local attacker with physical access to USB port could trigger kernel panic or potentially execute arbitrary code with kernel privileges, leading to full system compromise.
Likely Case
System instability or kernel panic when Corsair VOID headset is unplugged during operation, requiring reboot.
If Mitigated
Minor system disruption requiring reboot if kernel panic occurs, but no privilege escalation due to SELinux/AppArmor and other kernel hardening.
🎯 Exploit Status
Requires physical access to trigger device removal or ability to simulate USB device disconnection. Use-after-free exploitation requires additional heap manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 2dcb56a0a4da6946f6c18288da595c13e0d2af86 and 48e487b002891eb0aeaec704c9bed51f028deff1 applied
Vendor Advisory: https://git.kernel.org/stable/c/2dcb56a0a4da6946f6c18288da595c13e0d2af86
Restart Required: No
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Rebuild kernel if using custom kernel with the fix commits.
🔧 Temporary Workarounds
Disable corsair-void module
allPrevent loading of vulnerable kernel module
echo 'blacklist hid-corsair' | sudo tee /etc/modprobe.d/blacklist-corsair.conf
sudo rmmod hid_corsair
Avoid headset disconnection during use
allPrevent triggering the vulnerability by not unplugging Corsair VOID headset while system is running
🧯 If You Can't Patch
- Restrict physical access to USB ports
- Use alternative audio devices instead of Corsair VOID headsets
🔍 How to Verify
Check if Vulnerable:
Check if corsair-void module is loaded: lsmod | grep corsair. Check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or is newer than vulnerable versions. Check dmesg for no use-after-free errors when disconnecting headset.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in dmesg/system logs
- Use-after-free or general protection fault errors in kernel logs when Corsair device is removed
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("general protection fault" OR "use-after-free" OR "kernel panic") AND "corsair"