CVE-2025-68257— comedi: check device's attached status in compat ioctls
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-68257
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
comedi: check device's attached status in compat ioctls
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: comedi: check device's attached status in compat ioctls Syzbot identified an issue [1] that crashes kernel, seemingly due to unexistent callback dev->get_valid_routes(). By all means, this should not occur as said callback must always be set to get_zero_valid_routes() in __comedi_device_postconfig(). As the crash seems to appear exclusively in i386 kernels, at least, judging from [1] reports, the blame lies with compat versions of standard IOCTL handlers. Several of them are modified and do not use comedi_unlocked_ioctl(). While functionality of these ioctls essentially copy their original versions, they do not have required sanity check for device's attached status. This, in turn, leads to a possibility of calling select IOCTLs on a device that has not been properly setup, even via COMEDI_DEVCONFIG. Doing so on unconfigured devices means that several crucial steps are missed, for instance, specifying dev->get_valid_routes() callback. Fix this somewhat crudely by ensuring device's attached status before performing any ioctls, improving logic consistency between modern and compat functions. [1] Syzbot report: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0 Call Trace: <TASK> get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline] parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401 do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594 compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline] comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273 __do_compat_sys_ioctl fs/ioctl.c:695 [inline] __se_compat_sys_ioctl fs/ioctl.c:638 [inline] __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] ...
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于comedi中兼容ioctl未检查设备连接状态。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-68257
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-68257
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-12-16 · 157 CVEs total
| CVE-2025-68263 | 9.8 CRITICAL | ksmbd: ipc: fix use-after-free in ipc_msg_send_request |
| CVE-2025-68260 | rust_binder: fix race condition on death_list | |
| CVE-2025-68250 | hung_task: fix warnings caused by unaligned lock pointers | |
| CVE-2025-68251 | erofs: avoid infinite loops due to corrupted subpage compact indexes | |
| CVE-2025-68252 | misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup | |
| CVE-2025-68253 | mm: don't spin in add_stack_record when gfp flags don't allow | |
| CVE-2025-68254 | staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing | |
| CVE-2025-68255 | staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing | |
| CVE-2025-68256 | staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser | |
| CVE-2025-68258 | comedi: multiq3: sanitize config options in multiq3_attach() | |
| CVE-2025-68259 | KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced | |
| CVE-2025-68265 | nvme: fix admin request_queue lifetime | |
| CVE-2025-68283 | libceph: replace BUG_ON with bounds check for map->max_osd | |
| CVE-2025-68282 | usb: gadget: udc: fix use-after-free in usb_gadget_state_work | |
| CVE-2025-68281 | ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list | |
| CVE-2025-68266 | bfs: Reconstruct file type when loading from disk | |
| CVE-2025-68262 | crypto: zstd - fix double-free in per-CPU stream cleanup | |
| CVE-2025-68261 | ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() | |
| CVE-2025-68249 | most: usb: hdm_probe: Fix calling put_device() before device initialization | |
| CVE-2025-68264 | ext4: refresh inline data size before write operations |
Showing top 20 of 157 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2025-68257
No comments yet