VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 16, 2025· Updated Apr 15, 2026

CVE-2025-68258

CVE-2025-68258

Description

In the Linux kernel, the following vulnerability has been resolved:

comedi: multiq3: sanitize config options in multiq3_attach()

Syzbot identified an issue [1] in multiq3_attach() that induces a task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, specifically, in the case of multiq3 driver.

This problem arose when syzkaller managed to craft weird configuration options used to specify the number of channels in encoder subdevice. If a particularly great number is passed to s->n_chan in multiq3_attach() via it->options[2], then multiple calls to multiq3_encoder_reset() at the end of driver-specific attach() method will be running for minutes, thus blocking tasks and affected devices as well.

While this issue is most likely not too dangerous for real-life devices, it still makes sense to sanitize configuration inputs. Enable a sensible limit on the number of encoder chips (4 chips max, each with 2 channels) to stop this behaviour from manifesting.

[1] Syzbot crash: INFO: task syz.2.19:6067 blocked for more than 143 seconds. ... Call Trace:

context_switch kernel/sched/core.c:5254 [inline] __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862 __schedule_loop kernel/sched/core.c:6944 [inline] schedule+0x165/0x360 kernel/sched/core.c:6959 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016 __mutex_lock_common kernel/locking/mutex.c:676 [inline] __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760 comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868 chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414 do_dentry_open+0x953/0x13f0 fs/open.c:965 vfs_open+0x3b/0x340 fs/open.c:1097 ...

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's comedi multiq3 driver, unsanitized configuration options can cause a task timeout by specifying an excessive number of encoder channels.

Vulnerability

Description

In the Linux kernel, the comedi multiq3 driver's multiq3_attach() function did not sanitize configuration options passed via it->options[2], which specifies the number of channels in the encoder subdevice. If a particularly large number is provided, the subsequent calls to multiq3_encoder_reset() at the end of the attach method can run for minutes, causing a task timeout [1].

Exploitation

An attacker with the ability to craft configuration options for the multiq3 driver (e.g., via a COMEDI_DEVCONFIG ioctl or by opening the device) can trigger this issue. The attack does not require special privileges beyond the ability to interact with the comedi subsystem. The syzbot fuzzer demonstrated this by passing a large value for the number of channels, leading to prolonged execution of reset operations [1].

Impact

The primary impact is a denial of service (DoS) condition. The affected task becomes blocked for an extended period (over 143 seconds in the syzbot report), and other devices may also be affected due to the blocking of comedi operations. The issue is not considered highly dangerous for real-life devices but can cause significant disruption [1].

Mitigation

The fix introduces a sensible limit on the number of encoder chips (maximum 4 chips, each with 2 channels) to prevent this behavior. The patch has been applied to the Linux kernel stable tree [1][2][3][4]. Users should update their kernel to a version containing the fix.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.