CVE-2025-40116

Vulnerability

Overview

In the Linux kernel, the MAX3421 Host Controller Driver (HCD) for USB over SPI contains a bug in its probe cleanup path. The kthread_run() function can return either a valid pointer, NULL, or an error pointer (e.g., ERR_PTR(-ENOMEM)). The driver's cleanup code only checked for NULL before dereferencing the spi_thread pointer, but did not handle error pointers. This oversight can lead to a NULL or error pointer dereference when the probe fails after a thread creation error [1][2][3][4].

Exploitation

Conditions

An attacker would need to trigger a failure in kthread_run() during the probe of the MAX3421 device. This could be achieved by exhausting system resources (e.g., memory pressure) or by other means that cause thread creation to fail. The vulnerability is triggered during driver probe, which typically occurs at device enumeration at boot or hotplug. No special privileges are required beyond the ability to cause the device to be probed.

Impact

Impact

If exploited, the dereference of an invalid pointer can cause a kernel crash (oops), leading to a denial of service (DoS) on the affected system. The impact is limited to availability; there is no evidence of privilege escalation or data corruption from this bug.

Mitigation

The fix has been applied to the Linux kernel stable branches as of the referenced commits [1][2][3][4]. Users should update their kernel to a version containing the fix. No workaround is available other than avoiding the use of the MAX3421 hardware or applying the patch.