CVE-2025-40030

Vulnerability

Overview

A NULL pointer dereference vulnerability exists in the Linux kernel's pinctrl subsystem. The function pinmux_func_name_to_selector() passes the return value of pinmux_ops::get_function_name() directly to strcmp() without first checking for NULL. While the API contract does not explicitly require a non-NULL return, the generic implementation pinmux_generic_get_function_name() can fail and return NULL, leading to a potential NULL dereference when strcmp() is called on the returned pointer [1]. This condition can occur during normal operation when new pin functions are being added.

Attack

Vector and Prerequisites

An attacker would need local access to the system and the ability to trigger the addition of new pin functions that cause the get_function_name() callback to fail. The vulnerability is reachable through normal kernel operations involving pinmux configuration, no special privileges beyond those needed to interact with the pinctrl subsystem are required. The issue lies in the missing return value validation in a code path that was already partially checked elsewhere in pinmux_check_ops(), but the NULL can still propagate to pinmux_func_name_to_selector() [2].

Impact

Successful exploitation could result in a denial of service (system crash or kernel panic) due to the NULL pointer dereference. The bug does not appear to allow arbitrary code execution or privilege escalation, as the dereference occurs in kernel context and would typically lead to an oops. However, it could be used as a local denial of service vector in environments where untrusted users can influence pin function registration.

Mitigation

Status

Patches have been committed to the Linux kernel stable trees. The fix adds a NULL check on the return value of get_function_name() before passing it to strcmp(), preventing the dereference [3]. System administrators should apply the relevant stable kernel updates for affected kernels.