CVE-2025-68758
Description
In the Linux kernel, the following vulnerability has been resolved:
backlight: led-bl: Add devlink to supplier LEDs
LED Backlight is a consumer of one or multiple LED class devices, but devlink is currently unable to create correct supplier-producer links when the supplier is a class device. It creates instead a link where the supplier is the parent of the expected device.
One consequence is that removal order is not correctly enforced.
Issues happen for example with the following sections in a device tree overlay:
// An LED driver chip pca9632@62 { compatible = "nxp,pca9632"; reg = <0x62>;
// ...
addon_led_pwm: led-pwm@3 { reg = <3>; label = "addon:led:pwm"; }; };
backlight-addon { compatible = "led-backlight"; leds = <&addon_led_pwm>; brightness-levels = <255>; default-brightness-level = <255>; };
In this example, the devlink should be created between the backlight-addon (consumer) and the pca9632@62 (supplier). Instead it is created between the backlight-addon (consumer) and the parent of the pca9632@62, which is typically the I2C bus adapter.
On removal of the above overlay, the LED driver can be removed before the backlight device, resulting in:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 ... Call trace: led_put+0xe0/0x140 devm_led_release+0x6c/0x98
Another way to reproduce the bug without any device tree overlays is unbinding the LED class device (pca9632@62) before unbinding the consumer (backlight-addon):
echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind
Fix by adding a devlink between the consuming led-backlight device and the supplying LED device, as other drivers and subsystems do as well.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel led-backlight driver fails to create correct devlink to supplier LEDs, causing use-after-free on removal.
Vulnerability
CVE-2025-68758 is a vulnerability in the Linux kernel's led-backlight driver. The driver fails to create a correct device link (devlink) between the backlight consumer and the supplier LED device. Instead, it incorrectly links to the parent of the supplier's parent (e.g., an I2C bus adapter), preventing proper removal ordering [1][2].
Exploitation
An attacker with local access to device tree overlay removal or sysfs unbinding the LED class device before the backlight consumer can trigger the bug. For example, unbinding the LED driver (e.g., pca9632@62) before the backlight device leads to a NULL pointer dereference [1][2].
Impact
Successful exploitation results in a kernel NULL pointer dereference, causing a system crash (denial of service). The call trace shows led_put and devm_led_release being called on freed memory [1][2].
Mitigation
The fix adds a proper devlink between the led-backlight device and the supplying LED device, ensuring correct removal order. Patches are available in the stable kernel tree [1][2][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/08c9dc6b0f2c68e5e7c374ac4499e321e435d46cnvd
- git.kernel.org/stable/c/0e63ea4378489e09eb5e920c8a50c10caacf563anvd
- git.kernel.org/stable/c/30cbe4b642745a9488a0f0d78be43afe69d7555cnvd
- git.kernel.org/stable/c/60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9nvd
- git.kernel.org/stable/c/64739adf3eef063b8e2c72b7e919eac8c6480bf0nvd
- git.kernel.org/stable/c/9341d6698f4cfdfc374fb6944158d111ebe16a9dnvd
- git.kernel.org/stable/c/cd01a24b3e52d6777b49c917d841f125fe9eebd0nvd
- git.kernel.org/stable/c/e06df738a9ad8417f1c4c7cd6992cda320e9e7canvd
News mentions
0No linked articles in our index yet.