CVE-2025-40156

Vulnerability

In the Linux kernel's MediaTek CCI (Cache Coherent Interconnect) devfreq driver, the probe function fails to properly check the drv->sram_reg pointer before dereferencing it. The pointer can be set to ERR_PTR(-EPROBE_DEFER) by the devm_regulator_get_optional() call, leading to a potential error pointer dereference when the driver later accesses sram_reg without validation [1]. The fix replaces a NULL check with IS_ERR_OR_NULL() to cover both valid and error pointers.

Exploitation

An attacker would need to trigger the probe of the mtk-cci devfreq driver on a vulnerable kernel. This could occur during system boot or when the driver is loaded, typically requiring local access or a crafted device tree. The condition -EPROBE_DEFER may arise if the required regulator is not yet available, causing the driver to defer its probe. If the driver later attempts to use the error pointer without proper handling, a kernel crash (oops) may occur.

Impact

A successful exploitation leads to a denial of service (system crash) due to a kernel NULL pointer dereference or invalid memory access. This affects kernel stability, potentially causing system unavailability.

Mitigation

The vulnerability is fixed in Linux kernel versions that include the commit (fc33bf0e097c) and an additional stable backport (44e32104cf7e) [1][2]. Users should update to the latest stable kernel containing these patches.