CVE-2025-68258
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-16

Last updated on: 2025-12-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: comedi: multiq3: sanitize config options in multiq3_attach() Syzbot identified an issue [1] in multiq3_attach() that induces a task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, specifically, in the case of multiq3 driver. This problem arose when syzkaller managed to craft weird configuration options used to specify the number of channels in encoder subdevice. If a particularly great number is passed to s->n_chan in multiq3_attach() via it->options[2], then multiple calls to multiq3_encoder_reset() at the end of driver-specific attach() method will be running for minutes, thus blocking tasks and affected devices as well. While this issue is most likely not too dangerous for real-life devices, it still makes sense to sanitize configuration inputs. Enable a sensible limit on the number of encoder chips (4 chips max, each with 2 channels) to stop this behaviour from manifesting. [1] Syzbot crash: INFO: task syz.2.19:6067 blocked for more than 143 seconds. ... Call Trace: <TASK> context_switch kernel/sched/core.c:5254 [inline] __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862 __schedule_loop kernel/sched/core.c:6944 [inline] schedule+0x165/0x360 kernel/sched/core.c:6959 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016 __mutex_lock_common kernel/locking/mutex.c:676 [inline] __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760 comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868 chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414 do_dentry_open+0x953/0x13f0 fs/open.c:965 vfs_open+0x3b/0x340 fs/open.c:1097 ...
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-18
Generated
2026-05-27
AI Q&A
2025-12-16
EPSS Evaluated
2026-05-25
NVD
CVE-2025-68258
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
comedi multiq3 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's multiq3 driver, specifically in the multiq3_attach() function. It happens when crafted configuration options specify an excessively large number of channels for the encoder subdevice. This causes multiple calls to multiq3_encoder_reset() to run for an extended time, leading to task timeouts and blocking affected devices. The issue arises because the number of encoder chips and channels is not properly limited, allowing the system to hang during device attachment.


How can this vulnerability impact me? :

The vulnerability can cause tasks to become blocked for minutes, leading to system hangs or delays when opening or configuring devices using the multiq3 driver. This can degrade system performance and availability, potentially affecting any applications or services relying on these devices. However, it is noted that this issue is unlikely to be very dangerous for real-life devices.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for tasks blocked for extended periods due to the multiq3 driver, especially during open() or COMEDI_DEVCONFIG ioctl operations. Look for processes stuck in the comedi_open() function or related calls. You can use commands like 'ps -eo pid,comm,state,etimes | grep D' to find processes in uninterruptible sleep (D state) for a long time, or 'dmesg' to check for kernel logs indicating task timeouts related to multiq3_attach(). Additionally, monitoring for blocked tasks with messages similar to 'task syz.2.19:6067 blocked for more than 143 seconds' can help identify the issue.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves sanitizing the configuration inputs to the multiq3 driver, specifically limiting the number of encoder chips to a maximum of 4 chips, each with 2 channels, to prevent the task timeout issue. Avoid passing excessively large values to the s->n_chan parameter via it->options[2] in multiq3_attach(). If possible, update the Linux kernel to a version where this vulnerability is resolved to ensure proper input validation and prevent the blocking behavior.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart