CVE-2025-68328

Vulnerability

Overview

In the Linux kernel's stratix10-svc firmware driver, a bug was introduced by incorrectly using both platform_set_drvdata and dev_set_drvdata to store the same controller data. Because these two functions operate on different device structures but were given the same pointer, one call overwrites the other, leading to a mismatch between the stored data and the actual driver state [1][2][3].

Exploitation

Conditions

The vulnerability is triggered when the stratix10-svc driver is unloaded via rmmod. The corrupted driver data causes the removal path to attempt stopping a kernel thread (kthread_stop) and freeing a FIFO that were never properly initialized or have already been freed, resulting in a kernel panic. No special privileges are required beyond the ability to load and unload the driver module, which typically requires root access.

Impact

A local attacker with the ability to unload the stratix10-svc driver can trigger a kernel panic, leading to a denial of service (system crash). The panic occurs during the driver's cleanup routine, making the system unavailable until reboot.

Mitigation

The fix has been applied to the Linux kernel stable tree in commits [1], [2], and [3], which correct the driver data storage by using only one of the two set functions. Users should update their kernel to a version containing these commits or apply the appropriate backport.