2418893 – (CVE-2025-40263) CVE-2025-40263 kernel: Input: cros_ec_keyb - fix an invalid memory access

Bug 2418893 (CVE-2025-40263) - CVE-2025-40263 kernel: Input: cros_ec_keyb - fix an invalid memory access

Summary: CVE-2025-40263 kernel: Input: cros_ec_keyb - fix an invalid memory access

Keywords:
Status:	NEW
Alias:	CVE-2025-40263
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-04 17:03 UTC by OSIDB Bzimport
Modified:	2025-12-19 14:19 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-04 17:03:31 UTC

In the Linux kernel, the following vulnerability has been resolved:

Input: cros_ec_keyb - fix an invalid memory access

If cros_ec_keyb_register_matrix() isn't called (due to
`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains
NULL.  An invalid memory access is observed in cros_ec_keyb_process()
when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()
in such case.

  Unable to handle kernel read from unreadable memory at virtual address 0000000000000028
  ...
  x3 : 0000000000000000 x2 : 0000000000000000
  x1 : 0000000000000000 x0 : 0000000000000000
  Call trace:
  input_event
  cros_ec_keyb_work
  blocking_notifier_call_chain
  ec_irq_thread

It's still unknown about why the kernel receives such malformed event,
in any cases, the kernel shouldn't access `ckdev->idev` and friends if
the driver doesn't intend to initialize them.

Comment 1 Jon Moroney 2025-12-04 17:26:25 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120434-CVE-2025-40263-bfaa@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.