CVE-2025-68755

Vulnerability

Overview

The Linux kernel's staging tree has removed the MOST I2C driver (a driver for Media Oriented Systems Transport over I2C) after it was found to be completely broken for over five years. The problem originated in commit 723de0f9171e ("staging: most: remove device from interface structure"), which introduced a requirement for all MOST drivers to set the interface device pointer before registration. The I2C driver was never updated to meet this requirement, meaning any attempt to probe the device would result in a NULL pointer dereference [1].

Exploitation and

Impact

Because the driver is already in the staging tree (i.e., not fully integrated into the main kernel), exploitation requires a system where the module is loaded and a matching I2C device is present. Under those conditions, probing the driver causes a kernel crash via a NULL pointer dereference. No privilege escalation or memory corruption beyond the immediate crash is described. The impact is limited to denial of service (system crash) in a very specific hardware configuration, and no active exploitation has been reported.

Mitigation

The fix is to remove the driver entirely—no patches are provided for the broken code, as it was deemed more useful to delete the unmaintained, non-functional driver. The commit removing the driver has been applied to the stable kernel tree [2]. Users are advised to update to a kernel version containing this removal. There is no workaround other than not loading the driver or blacklisting the module.