CVE-2025-68335
Description
In the Linux kernel, the following vulnerability has been resolved:
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from the fact that in case of early device detach via pcl818_detach(), subdevice dev->read_subdev may not have initialized its pointer to &struct comedi_async as intended. Thus, any such dereferencing of &s->async->cmd will lead to general protection fault and kernel crash.
Mitigate this problem by removing a call to pcl818_ai_cancel() from pcl818_detach() altogether. This way, if the subdevice setups its support for async commands, everything async-related will be handled via subdevice's own ->cancel() function in comedi_device_detach_locked() even before pcl818_detach(). If no support for asynchronous commands is provided, there is no need to cancel anything either.
[1] Syzbot crash: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762 ... Call Trace:
pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115 comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207 do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline] comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] ...
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A null-pointer dereference in the Linux kernel's comedi pcl818 driver (pcl818_ai_cancel) can be triggered during device detach, leading to a kernel crash; the fix removes the vulnerable call.
Vulnerability
CVE-2025-68335 describes a null-pointer dereference vulnerability in the Linux kernel's comedi subsystem, specifically in the pcl818 driver. The bug resides in the pcl818_ai_cancel() function, which is called during device detach via pcl818_detach(). If the subdevice's read_subdev pointer has not been fully initialized (i.e., its async field is NULL), dereferencing s->async->cmd causes a general protection fault and kernel crash. This was discovered by syzbot and reported with a detailed crash trace [1].
Exploitation
The vulnerability can be triggered by a local user with access to the comedi device, typically through an ioctl that initiates device detachment (e.g., do_devconfig_ioctl). No special privileges beyond access to the comedi interface are required, as the crash occurs during normal device removal operations. The attack surface is limited to systems where the pcl818 driver is loaded and a comedi device is configured.
Impact
Successful exploitation results in a kernel crash (general protection fault), leading to a denial of service (DoS) for the affected system. The crash is reproducible and can be triggered repeatedly by an unprivileged user, making it a reliable local DoS vector.
Mitigation
The fix, committed to the Linux kernel stable tree, removes the call to pcl818_ai_cancel() from pcl818_detach(). This ensures that asynchronous command cancellation is handled by the subdevice's own ->cancel() function in comedi_device_detach_locked(), which only runs if the subdevice supports async commands. The patch is available in multiple stable kernel versions [1]. Users should update their kernels to include this fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/5caa40e7c6a43e08e3574f990865127705c22861nvd
- git.kernel.org/stable/c/877adccfacb32687b90714a27cfb09f444fdfa16nvd
- git.kernel.org/stable/c/88d99ca5adbd01ff088f5fb2ddeba5755e085e52nvd
- git.kernel.org/stable/c/935ad4b3c325c24fff2c702da403283025ffc722nvd
- git.kernel.org/stable/c/a51f025b5038abd3d22eed2ede4cd46793d89565nvd
- git.kernel.org/stable/c/b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16nvd
- git.kernel.org/stable/c/d948c53dec36dafe182631457597c49c1f1df5eanvd
News mentions
0No linked articles in our index yet.