CVE-2025-40263

EUVD-2025-201194
In the Linux kernel, the following vulnerability has been resolved:

Input: cros_ec_keyb - fix an invalid memory access

If cros_ec_keyb_register_matrix() isn't called (due to
`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains
NULL.  An invalid memory access is observed in cros_ec_keyb_process()
when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()
in such case.

  Unable to handle kernel read from unreadable memory at virtual address 0000000000000028
  ...
  x3 : 0000000000000000 x2 : 0000000000000000
  x1 : 0000000000000000 x0 : 0000000000000000
  Call trace:
  input_event
  cros_ec_keyb_work
  blocking_notifier_call_chain
  ec_irq_thread

It's still unknown about why the kernel receives such malformed event,
in any cases, the kernel shouldn't access `ckdev->idev` and friends if
the driver doesn't intend to initialize them.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.159-1
fixed
bookworm (security)
6.1.162-1
fixed
bullseye
vulnerable
bullseye (security)
5.10.249-1
fixed
forky
6.18.15-1
fixed
sid
6.18.15-1
fixed
trixie
6.12.63-1
fixed
trixie (security)
6.12.73-1
fixed
linux-6.1
bullseye (security)
6.1.162-1~deb11u1
fixed
References
https://git.kernel.org/stable/c/2d251c15c27e2dd16d6318425d2f7260cbd47d39
https://git.kernel.org/stable/c/6d81068685154535af06163eb585d6d9663ec7ec
https://git.kernel.org/stable/c/9cf59f4724a9ee06ebb06c76b8678ac322e850b7
https://git.kernel.org/stable/c/d74864291cb8bd784d44d1d02e87109cf88666bb
https://git.kernel.org/stable/c/e08969c4d65ac31297fcb4d31d4808c789152f68