CVE-2025-68257
Description
In the Linux kernel, the following vulnerability has been resolved:
comedi: check device's attached status in compat ioctls
Syzbot identified an issue [1] that crashes kernel, seemingly due to unexistent callback dev->get_valid_routes(). By all means, this should not occur as said callback must always be set to get_zero_valid_routes() in __comedi_device_postconfig().
As the crash seems to appear exclusively in i386 kernels, at least, judging from [1] reports, the blame lies with compat versions of standard IOCTL handlers. Several of them are modified and do not use comedi_unlocked_ioctl(). While functionality of these ioctls essentially copy their original versions, they do not have required sanity check for device's attached status. This, in turn, leads to a possibility of calling select IOCTLs on a device that has not been properly setup, even via COMEDI_DEVCONFIG.
Doing so on unconfigured devices means that several crucial steps are missed, for instance, specifying dev->get_valid_routes() callback.
Fix this somewhat crudely by ensuring device's attached status before performing any ioctls, improving logic consistency between modern and compat functions.
[1] Syzbot report: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0 Call Trace:
get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline] parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401 do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594 compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline] comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273 __do_compat_sys_ioctl fs/ioctl.c:695 [inline] __se_compat_sys_ioctl fs/ioctl.c:638 [inline] __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] ...
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel comedi driver compat ioctl handlers miss device attached status check, leading to NULL pointer dereference on uninitialized devices.
Vulnerability
The comedi driver in the Linux kernel fails to validate the device's attached status in its compat ioctl handlers [1]. This oversight allows certain IOCTLs to operate on devices that have not been properly initialized via COMEDI_DEVCONFIG. The missing check means that critical callbacks, such as get_valid_routes(), which are set during device configuration, remain unassigned, leading to a null pointer dereference when called.
Exploitation
An attacker with local access to the comedi device files (e.g., /dev/comedi*) can trigger the vulnerability by issuing compat IOCTLs on i386 kernels. These compat handlers bypass the standard comedi_unlocked_ioctl() that performs the required attached status check. No special authentication is needed if the device is accessible. The syzbot report demonstrates a kernel crash with a NULL pointer dereference at get_valid_routes() during instruction parsing [1].
Impact
Successful exploitation results in a kernel NULL pointer dereference, causing a denial of service (system crash). While the description does not confirm code execution, the nature of the crash indicates potential for further exploitation if an attacker can control the invalid pointer.
Mitigation
The fix adds a check for the device's attached status in the compat ioctl paths, ensuring consistency with the standard ioctl handler. The patch has been applied to the stable kernel trees as commits [1][2][3]. Users should update their kernels to include these fixes.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/0de7d9cd07a2671fa6089173bccc0b2afe6b93eenvd
- git.kernel.org/stable/c/4836ba483a22ebd076c8faaf8293a7295fad4142nvd
- git.kernel.org/stable/c/573b07d2e3d473ee7eb625ef87519922cf01168dnvd
- git.kernel.org/stable/c/7141915bf0c41cb57d83cdbaf695b8c731b16b71nvd
- git.kernel.org/stable/c/aac80e912de306815297a3b74f0426873ffa7dc3nvd
- git.kernel.org/stable/c/b975f91de5f8f63cf490f0393775cc795f8b0557nvd
- git.kernel.org/stable/c/f13895c03620933a58907e3250016f087e39b78cnvd
- git.kernel.org/stable/c/f6e629dfe6f590091c662a87c9fcf118b1c1c7dcnvd
News mentions
0No linked articles in our index yet.