CVE-2025-68228

Vulnerability

Overview

In the Linux kernel, the create_in_format_blob() function in drm/plane.c was found to return NULL in certain failure cases instead of a proper error pointer. The function is designed to return either a valid pointer or an error value (via ERR_PTR()), but some error paths returned NULL. This violates the contract with callers, which check for errors using IS_ERR() and dereference the returned pointer when it is not an error. If NULL is returned, the caller will dereference it, leading to a NULL pointer dereference and a kernel oops (crash) [1].

Exploitation and

Impact

The vulnerability is triggered when create_in_format_blob() encounters an allocation failure or other error condition. An attacker would need to be able to trigger such a failure, potentially by exhausting memory or other resources. The attack surface is local, requiring the ability to invoke DRM plane operations, typically through a graphics system call. No special privileges are mentioned, but the attacker must have access to the DRM subsystem. The impact is a denial of service (system crash) due to the NULL pointer dereference [1].

Mitigation

The fix was applied in the Linux kernel stable tree, changing the NULL returns to appropriate error codes using ERR_PTR(). Users should update to a kernel version containing the commit cead55e24cf9e092890cf51c0548eccd7569defa or later. No workaround is mentioned; the patch is the recommended mitigation [1].