Listen to this Post
Intro: How CVE-2026-46202 Works
The Linux kernel’s HID driver for Apple Touch Bar keyboards (hid-appletb-kbd) contains a locking bug that leads to illegal sleeping in atomic contexts. The driver implements an auto‑dimming feature for the backlight: after a period of inactivity, it dims and eventually turns off the Touch Bar backlight; any user input (key press, touch) resets the timer and restores brightness.
The vulnerability stems from calling `backlight_device_set_brightness()` – a function that acquires a mutex (backlight_device->ops_lock) – from two code paths that run in atomic (non‑sleepable) contexts:
1. Inactivity timer callback – `appletb_inactivity_timer()` is a `struct timer_list` callback, which executes in softirq (bottom‑half) context. When the timer expires, it directly calls the backlight function, triggering a `BUG: sleeping function called from invalid context` because mutex locking can sleep.
2. Input event handlers – `reset_inactivity_timer()` is invoked from `appletb_kbd_hid_event()` (USB HID report completion, IRQ context) and `appletb_kbd_inp_event()` (input subsystem event dispatch, also IRQ/softirq). If the backlight was previously dimmed or off, this reset path again calls `backlight_device_set_brightness()` directly, reproducing the same illegal mutex lock from atomic context.
The result is a kernel bug splat, system log spam, and potential denial of service (system instability or panic). An attacker with local access to the keyboard (i.e., any user who can generate input events on an affected Apple MacBook with Touch Bar) can reliably trigger this bug by letting the inactivity timer expire or by causing rapid brightness resets.
The fix reworks the driver to avoid blocking operations in atomic contexts: the timer is replaced with a `delayed_work` (runs in process context), and a dedicated `work_struct` is used to restore brightness from the reset path. Both works are cancelled during driver removal.
DailyCVE Form:
Platform: Linux kernel
Version: 6.x – 6.13
Vulnerability: Atomic context sleeping
Severity: Medium
date: 2026-05-28
Prediction: Already patched 2026-06-10
What Undercode Say:
Check if your kernel is vulnerable (version range) uname -r Affected: >=6.0 and <=6.13 (fixed in 6.13+) Simulate the bug by forcing inactivity timeout (if driver loaded) echo 1 > /sys/class/backlight/appletb_kbd/brightness set brightness Wait for inactivity dim (default 5s) then turn-off (30s) – triggers softirq mutex lock Trigger directly from input (reset path) using evtest sudo evtest --grab /dev/input/eventX X = Touch Bar input device Press any key – will call backlight_set from IRQ context Crash dmesg pattern to look for dmesg | grep "BUG: sleeping function called from invalid context" dmesg | grep "appletb_inactivity_timer"
Exploit:
Local attacker causes kernel panic or soft lockup by:
– Letting the inactivity timer expire naturally (no interaction for ~30s)
– Rapidly generating input events to repeatedly call the reset path from IRQ context
– No special privileges required – only physical or virtual input access to the Touch Bar
Protection:
- Apply kernel commit that replaces timer with `delayed_work` and adds dedicated restore workqueue
- Mitigation: blacklist `hid-appletb-kbd` module (
echo blacklist hid-appletb-kbd > /etc/modprobe.d/appletb.conf) - Disable auto‑dim via sysfs if backlight control is not critical
- Upgrade to Linux kernel v6.14 or any distribution backport containing the fix
Impact:
- System log flooded with sleeping‑in‑atomic warnings
- Potential kernel panic or hard freeze on some configurations
- Denial of service (system becomes unresponsive until reboot)
- No privilege escalation – primarily availability impact
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
