VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 3, 2025· Updated Apr 15, 2026

CVE-2025-40107

CVE-2025-40107

Description

In the Linux kernel, the following vulnerability has been resolved:

can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled

This issue is similar to the vulnerability in the mcp251x driver, which was fixed in commit 03c427147b2d ("can: mcp251x: fix resume from sleep before interface was brought up").

In the hi311x driver, when the device resumes from sleep, the driver schedules priv->restart_work. However, if the network interface was not previously enabled, the priv->wq (workqueue) is not allocated and initialized, leading to a null pointer dereference.

To fix this, we move the allocation and initialization of the workqueue from the hi3110_open function to the hi3110_can_probe function. This ensures that the workqueue is properly initialized before it is used during device resume. And added logic to destroy the workqueue in the error handling paths of hi3110_can_probe and in the hi3110_can_remove function to prevent resource leaks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's hi311x CAN driver, a null pointer dereference occurs when resuming from sleep before the network interface is enabled, due to an uninitialized workqueue.

Root

Cause

The vulnerability in the hi311x CAN driver is a null pointer dereference that occurs when the system resumes from a sleep state before the network interface has been brought up. The root cause is that the driver's workqueue (priv->wq) is allocated and initialized in the hi3110_open function, but the resume path schedules priv->restart_work without first checking whether the workqueue exists. If the interface was never opened, priv->wq remains NULL, leading to a crash when the scheduler tries to queue work on it. This mirrors a similar bug in the mcp251x driver that was previously fixed [1].

Exploitation

An attacker would need to be able to trigger a suspend/resume cycle on a system using the hi311x CAN controller. No authentication or special privileges are required beyond the ability to put the system to sleep (e.g., via S3 sleep or hibernation). The vulnerability). The attack does not require any network access; it is a local issue that can be triggered simply by resuming from sleep before the CAN interface has been activated. The prerequisite is that the driver must be loaded and the device present, but the interface must not have been brought up via `ip link set can0 up [2].

Impact

Exploiting this vulnerability causes a kernel NULL pointer dereference, which typically results in an immediate system crash (kernel oops) or denial of service. In some configurations, it might be leveraged for local privilege escalation if the attacker can control the content near NULL in memory, though the primary impact is system availability. The bug specifically targets the CAN subsystem and can render the system unusable until reboot.

Mitigation

The fix moves the workqueue allocation from hi3110_open to the probe function hi3110_can_probe, ensuring the workqueue is created before any resume can occur. The patch also adds proper cleanup in error paths and in the remove function to prevent resource leaks [3]. The fix has been applied to the stable kernel trees; users should update their kernels to a version containing the commit. No workaround is available besides avoiding suspend/resume cycles until the patch is applied.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1
  • Linux/Kernelllm-fuzzy
    Range: affected versions before the stable commits

Patches

5
e93af787187e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
1d2ef21f02ba
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
fd00cf38fd43
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
6b6968084721
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d1fc4c041459
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.