CVE-2025-68335
Unknown Unknown - Not Provided
Null Pointer Dereference in Linux comedi pcl818 Driver Causes Kernel Crash

Publication date: 2025-12-22

Last updated on: 2025-12-22

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from the fact that in case of early device detach via pcl818_detach(), subdevice dev->read_subdev may not have initialized its pointer to &struct comedi_async as intended. Thus, any such dereferencing of &s->async->cmd will lead to general protection fault and kernel crash. Mitigate this problem by removing a call to pcl818_ai_cancel() from pcl818_detach() altogether. This way, if the subdevice setups its support for async commands, everything async-related will be handled via subdevice's own ->cancel() function in comedi_device_detach_locked() even before pcl818_detach(). If no support for asynchronous commands is provided, there is no need to cancel anything either. [1] Syzbot crash: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762 ... Call Trace: <TASK> pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115 comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207 do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline] comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] ...
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-22
Last Modified
2025-12-22
Generated
2026-05-07
AI Q&A
2025-12-23
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68335
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
comedi pcl818 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a null pointer dereference in the Linux kernel's comedi pcl818 driver, specifically in the pcl818_ai_cancel() function. It occurs because when a device is detached early via pcl818_detach(), a pointer to a structure (comedi_async) may not be properly initialized. Dereferencing this uninitialized pointer leads to a general protection fault and causes the kernel to crash. The fix involves removing the call to pcl818_ai_cancel() from pcl818_detach() to avoid dereferencing the null pointer, relying instead on the subdevice's own cancel function to handle asynchronous command cancellation.


How can this vulnerability impact me? :

This vulnerability can cause a general protection fault leading to a kernel crash. This means that systems using the affected pcl818 driver in the Linux kernel could experience unexpected crashes or instability, potentially leading to downtime or loss of service.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring kernel logs for general protection faults related to pcl818_ai_cancel(), such as null pointer dereferences causing kernel crashes. You can check the kernel log using commands like 'dmesg | grep pcl818_ai_cancel' or 'journalctl -k | grep pcl818_ai_cancel' to identify any crash reports or oops messages referencing pcl818_ai_cancel or pcl818_detach.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, remove the call to pcl818_ai_cancel() from pcl818_detach() in the Linux kernel source. This ensures that asynchronous command cancellation is handled properly via the subdevice's own cancel() function in comedi_device_detach_locked(), preventing null pointer dereferences and kernel crashes.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart