CVE-2025-68167

Root

Cause In the Linux kernel's gpiolib debugfs interface, the gpiolib_seq_start() function allocates memory for the private data using kzalloc(). If this allocation fails, the s->private field is left uninitialized. The subsequent gpiolib_seq_stop() function dereferences s->private without checking for NULL, leading to an invalid pointer access and potential kernel crash [1].

Exploitation

An attacker would need to trigger the debugfs read sequence on the gpiolib debugfs file, typically requiring local access to the system. The failure of the memory allocation could be induced by exhausting system memory, a condition that may be achievable from user space by consuming memory resources. No authentication is required beyond the ability to read debugfs files, which often requires root privileges or specific capabilities.

Impact

A successful exploitation results in a kernel NULL pointer dereference, leading to a system crash (denial of service). There is no indication of privilege escalation or information disclosure. The vulnerability is considered medium severity.

Mitigation

The fix initializes s->private to NULL before the allocation and adds a NULL check before dereferencing it in gpiolib_seq_stop(). The patch has been applied to the Linux kernel stable tree as commit 3c91c8f424d3e44c8645ab765a38773e58afb07d [1]. Users should update to a kernel version including this fix.