CVE-2025-40263

Summary

In the Linux kernel, the following vulnerability has been resolved:

Input: cros_ec_keyb - fix an invalid memory access

If cros_ec_keyb_register_matrix() isn't called (due to buttons_switches_only) in cros_ec_keyb_probe(), ckdev->idev remains NULL. An invalid memory access is observed in cros_ec_keyb_process() when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work() in such case.

Unable to handle kernel read from unreadable memory at virtual address 0000000000000028 … x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: input_event cros_ec_keyb_work blocking_notifier_call_chain ec_irq_thread

It's still unknown about why the kernel receives such malformed event, in any cases, the kernel shouldn't access ckdev->idev and friends if the driver doesn't intend to initialize them.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 < d74864291cb8bd784d44d1d02e87109cf88666bbaffected
LinuxLinuxca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 < 9cf59f4724a9ee06ebb06c76b8678ac322e850b7affected
LinuxLinuxca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 < 6d81068685154535af06163eb585d6d9663ec7ecaffected
LinuxLinuxca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 < 2d251c15c27e2dd16d6318425d2f7260cbd47d39affected
LinuxLinuxca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 < e08969c4d65ac31297fcb4d31d4808c789152f68affected
LinuxLinux5.19affected
LinuxLinux0 < 5.19unaffected
LinuxLinux6.1.159 <= 6.1.*unaffected
LinuxLinux6.6.118 <= 6.6.*unaffected
LinuxLinux6.12.60 <= 6.12.*unaffected
LinuxLinux6.17.10 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

ADP Enrichment

Additional References

References