-

CVE-2025-68335

In the Linux kernel, the following vulnerability has been resolved:

comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()

Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from
the fact that in case of early device detach via pcl818_detach(),
subdevice dev->read_subdev may not have initialized its pointer to
&struct comedi_async as intended. Thus, any such dereferencing of
&s->async->cmd will lead to general protection fault and kernel crash.

Mitigate this problem by removing a call to pcl818_ai_cancel() from
pcl818_detach() altogether. This way, if the subdevice setups its
support for async commands, everything async-related will be
handled via subdevice's own ->cancel() function in
comedi_device_detach_locked() even before pcl818_detach(). If no
support for asynchronous commands is provided, there is no need
to cancel anything either.

[1] Syzbot crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
...
Call Trace:
 <TASK>
 pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115
 comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207
 do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]
 comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
...
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16
Version 00aba6e7b5653a6607238ecdab7172318059d984
Status affected
Version < 935ad4b3c325c24fff2c702da403283025ffc722
Version 00aba6e7b5653a6607238ecdab7172318059d984
Status affected
Version < 88d99ca5adbd01ff088f5fb2ddeba5755e085e52
Version 00aba6e7b5653a6607238ecdab7172318059d984
Status affected
Version < 5caa40e7c6a43e08e3574f990865127705c22861
Version 00aba6e7b5653a6607238ecdab7172318059d984
Status affected
Version < d948c53dec36dafe182631457597c49c1f1df5ea
Version 00aba6e7b5653a6607238ecdab7172318059d984
Status affected
Version < 877adccfacb32687b90714a27cfb09f444fdfa16
Version 00aba6e7b5653a6607238ecdab7172318059d984
Status affected
Version < a51f025b5038abd3d22eed2ede4cd46793d89565
Version 00aba6e7b5653a6607238ecdab7172318059d984
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 3.15
Status affected
Version < 3.15
Version 0
Status unaffected
Version <= 5.15.*
Version 5.15.198
Status unaffected
Version <= 6.1.*
Version 6.1.160
Status unaffected
Version <= 6.6.*
Version 6.6.120
Status unaffected
Version <= 6.12.*
Version 6.12.62
Status unaffected
Version <= 6.17.*
Version 6.17.12
Status unaffected
Version <= 6.18.*
Version 6.18.1
Status unaffected
Version <= *
Version 6.19-rc1
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.04% 0.099
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.