CVE-2025-40263
Description
In the Linux kernel, the following vulnerability has been resolved:
Input: cros_ec_keyb - fix an invalid memory access
If cros_ec_keyb_register_matrix() isn't called (due to buttons_switches_only) in cros_ec_keyb_probe(), ckdev->idev remains NULL. An invalid memory access is observed in cros_ec_keyb_process() when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work() in such case.
Unable to handle kernel read from unreadable memory at virtual address 0000000000000028 ... x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: input_event cros_ec_keyb_work blocking_notifier_call_chain ec_irq_thread
It's still unknown about why the kernel receives such malformed event, in any cases, the kernel shouldn't access ckdev->idev and friends if the driver doesn't intend to initialize them.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel cros_ec_keyb driver can dereference a NULL input device pointer, causing a kernel crash on receiving a keyboard matrix event when only buttons/switches are used.
Vulnerability
In the Linux kernel's Chrome OS EC keyboard driver (drivers/input/keyboard/cros_ec_keyb.c), when the device is configured with buttons_switches_only = 1, the function cros_ec_keyb_register_matrix() is skipped during probe [1]. This leaves ckdev->idev as NULL. If an EC_MKBP_EVENT_KEY_MATRIX event is later received, the workqueue handler cros_ec_keyb_work() calls cros_ec_keyb_process() which directly uses the NULL idev pointer for input_event(), causing an invalid memory access and a kernel panic [2].
Exploitation
An attacker who can inject a malformed EC_MKBP event (for example, via a compromised or malicious embedded controller firmware) can trigger this NULL-pointer dereference from any context where the driver processes events. No special privileges are required beyond the ability to send the specific event type to the driver, which may occur during normal EC communication [2]. The crash trace shows the fault originates in input_event() called from cros_ec_keyb_work() [2].
Impact
Successful exploitation leads to a denial of service (system crash or lockup) due to a kernel NULL-pointer dereference [2]. The vulnerability does not appear to allow arbitrary code execution or privilege escalation; it is a plain read-from-NULL with no controlled data flow [2].
Mitigation
The fix adds a guard in cros_ec_keyb_process(): if ckdev->idev is NULL, the function returns early without accessing the input device [3][4]. This commit has been backported to stable kernel trees [1][3][4]. Users should apply the latest kernel updates or cherry-pick the corresponding commit for their kernel version.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
5d74864291cb89cf59f4724a96d81068685152d251c15c27ee08969c4d65aVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/2d251c15c27e2dd16d6318425d2f7260cbd47d39nvd
- git.kernel.org/stable/c/6d81068685154535af06163eb585d6d9663ec7ecnvd
- git.kernel.org/stable/c/9cf59f4724a9ee06ebb06c76b8678ac322e850b7nvd
- git.kernel.org/stable/c/d74864291cb8bd784d44d1d02e87109cf88666bbnvd
- git.kernel.org/stable/c/e08969c4d65ac31297fcb4d31d4808c789152f68nvd
News mentions
0No linked articles in our index yet.