CVE-2025-38266 in Linuxinfo

Summary

by MITRE • 07/10/2025

In the Linux kernel, the following vulnerability has been resolved:

pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms

Commit 3ef9f710efcb ("pinctrl: mediatek: Add EINT support for multiple addresses") introduced an access to the 'soc' field of struct mtk_pinctrl in mtk_eint_do_init() and for that an include of pinctrl-mtk-common-v2.h.

However, pinctrl drivers relying on the v1 common driver include pinctrl-mtk-common.h instead, which provides another definition of struct mtk_pinctrl that does not contain an 'soc' field.

Since mtk_eint_do_init() can be called both by v1 and v2 drivers, it will now try to dereference an invalid pointer when called on v1 platforms. This has been observed on Genio 350 EVK (MT8365), which crashes very early in boot (the kernel trace can only be seen with earlycon).

In order to fix this, since 'struct mtk_pinctrl' was only needed to get a 'struct mtk_eint_pin', make 'struct mtk_eint_pin' a parameter of mtk_eint_do_init() so that callers need to supply it, removing mtk_eint_do_init()'s dependency on any particular 'struct mtk_pinctrl'.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 12/07/2025

The vulnerability CVE-2025-38266 represents a critical pointer dereference issue within the Linux kernel's Mediatek pinctrl subsystem affecting embedded platforms. This flaw specifically impacts the EINT (External Interrupt) handling mechanism for Mediatek SoCs, where the kernel exhibits improper memory access patterns during early boot phases. The vulnerability manifests when the mtk_eint_do_init() function attempts to access a 'soc' field within the mtk_pinctrl structure, which exists in v2 implementations but is absent from v1 driver definitions. The issue stems from a design inconsistency where the same initialization function must support both v1 and v2 driver architectures while maintaining backward compatibility.

The technical implementation flaw occurs due to an inconsistent struct definition pattern within the Mediatek pinctrl driver framework. When commit 3ef9f710efcb introduced EINT support for multiple addresses, it added dependency on pinctrl-mtk-common-v2.h which defines struct mtk_pinctrl with a 'soc' field. However, v1 platforms utilize pinctrl-mtk-common.h which defines a different struct mtk_pinctrl without this field. This creates a scenario where mtk_eint_do_init() function attempts to access memory at an invalid offset when executed on v1 platforms, resulting in immediate kernel crashes during early boot sequence. The vulnerability is particularly severe because it occurs before normal kernel logging mechanisms can capture the error, requiring specialized debugging tools like earlycon to observe the kernel trace.

The operational impact of this vulnerability extends to embedded systems utilizing Mediatek MT8365 SoCs such as the Genio 350 EVK platform, where the system fails to boot properly due to the kernel panic occurring during the initial boot phase. This represents a critical availability issue affecting device functionality and system reliability. The vulnerability affects the broader Linux kernel ecosystem by demonstrating the risks of improper abstraction layer design in device driver frameworks, particularly when supporting multiple hardware generations within a single driver architecture. The issue highlights the importance of maintaining consistent data structures across driver versions and proper conditional compilation practices to prevent such runtime errors.

The fix implemented addresses the root cause by restructuring the mtk_eint_do_init() function to eliminate its dependency on specific struct mtk_pinctrl definitions. Instead of accessing the 'soc' field directly, the function now accepts struct mtk_eint_pin as a parameter, allowing callers to provide the necessary data structure without requiring access to the potentially missing 'soc' field. This approach aligns with security best practices for kernel development and follows the principle of least privilege by reducing the scope of memory access required for initialization. The solution also demonstrates proper defensive programming techniques that prevent null pointer dereference conditions, which are categorized under CWE-476 as "NULL Pointer Dereference" and can be classified under ATT&CK technique T1059.001 for command and scripting interpreter usage in kernel contexts. The mitigation strategy ensures that both v1 and v2 driver platforms can successfully initialize EINT functionality without system crashes, maintaining the integrity of the embedded device boot process and preventing unauthorized access through kernel exploitation vectors.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/10/2025

Moderation

accepted

CPE

ready

EPSS

0.00137

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!