{"api_version":"1","generated_at":"2026-06-20T16:22:08+00:00","cve":"CVE-2025-40263","urls":{"html":"https://cve.report/CVE-2025-40263","api":"https://cve.report/api/cve/CVE-2025-40263.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-40263","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-40263"},"summary":{"title":"Input: cros_ec_keyb - fix an invalid memory access","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cros_ec_keyb - fix an invalid memory access\n\nIf cros_ec_keyb_register_matrix() isn't called (due to\n`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains\nNULL.  An invalid memory access is observed in cros_ec_keyb_process()\nwhen receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()\nin such case.\n\n  Unable to handle kernel read from unreadable memory at virtual address 0000000000000028\n  ...\n  x3 : 0000000000000000 x2 : 0000000000000000\n  x1 : 0000000000000000 x0 : 0000000000000000\n  Call trace:\n  input_event\n  cros_ec_keyb_work\n  blocking_notifier_call_chain\n  ec_irq_thread\n\nIt's still unknown about why the kernel receives such malformed event,\nin any cases, the kernel shouldn't access `ckdev->idev` and friends if\nthe driver doesn't intend to initialize them.","state":"PUBLISHED","assigner":"Linux","published_at":"2025-12-04 16:16:20","updated_at":"2026-06-02 14:16:32"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/e08969c4d65ac31297fcb4d31d4808c789152f68","name":"https://git.kernel.org/stable/c/e08969c4d65ac31297fcb4d31d4808c789152f68","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9cf59f4724a9ee06ebb06c76b8678ac322e850b7","name":"https://git.kernel.org/stable/c/9cf59f4724a9ee06ebb06c76b8678ac322e850b7","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d74864291cb8bd784d44d1d02e87109cf88666bb","name":"https://git.kernel.org/stable/c/d74864291cb8bd784d44d1d02e87109cf88666bb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-253495.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-253495.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6d81068685154535af06163eb585d6d9663ec7ec","name":"https://git.kernel.org/stable/c/6d81068685154535af06163eb585d6d9663ec7ec","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2d251c15c27e2dd16d6318425d2f7260cbd47d39","name":"https://git.kernel.org/stable/c/2d251c15c27e2dd16d6318425d2f7260cbd47d39","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-40263","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40263","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 d74864291cb8bd784d44d1d02e87109cf88666bb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 9cf59f4724a9ee06ebb06c76b8678ac322e850b7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 6d81068685154535af06163eb585d6d9663ec7ec git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 2d251c15c27e2dd16d6318425d2f7260cbd47d39 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 e08969c4d65ac31297fcb4d31d4808c789152f68 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.19","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.19 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.159 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.118 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.60 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.17.10 6.17.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"RUGGEDCOM RST2428P","version":"affected V4.0 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"40263","cve":"CVE-2025-40263","epss":"0.000370000","percentile":"0.113680000","score_date":"2026-06-08","updated_at":"2026-06-09 00:12:52"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"affected":[{"defaultStatus":"unknown","product":"RUGGEDCOM RST2428P","vendor":"Siemens","versions":[{"lessThan":"V4.0","status":"affected","version":"0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-06-02T13:00:15.067Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-253495.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/input/keyboard/cros_ec_keyb.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"d74864291cb8bd784d44d1d02e87109cf88666bb","status":"affected","version":"ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0","versionType":"git"},{"lessThan":"9cf59f4724a9ee06ebb06c76b8678ac322e850b7","status":"affected","version":"ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0","versionType":"git"},{"lessThan":"6d81068685154535af06163eb585d6d9663ec7ec","status":"affected","version":"ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0","versionType":"git"},{"lessThan":"2d251c15c27e2dd16d6318425d2f7260cbd47d39","status":"affected","version":"ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0","versionType":"git"},{"lessThan":"e08969c4d65ac31297fcb4d31d4808c789152f68","status":"affected","version":"ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/input/keyboard/cros_ec_keyb.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.19"},{"lessThan":"5.19","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.159","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.118","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.60","versionType":"semver"},{"lessThanOrEqual":"6.17.*","status":"unaffected","version":"6.17.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.18","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.159","versionStartIncluding":"5.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.118","versionStartIncluding":"5.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.60","versionStartIncluding":"5.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.17.10","versionStartIncluding":"5.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18","versionStartIncluding":"5.19","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cros_ec_keyb - fix an invalid memory access\n\nIf cros_ec_keyb_register_matrix() isn't called (due to\n`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains\nNULL.  An invalid memory access is observed in cros_ec_keyb_process()\nwhen receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()\nin such case.\n\n  Unable to handle kernel read from unreadable memory at virtual address 0000000000000028\n  ...\n  x3 : 0000000000000000 x2 : 0000000000000000\n  x1 : 0000000000000000 x0 : 0000000000000000\n  Call trace:\n  input_event\n  cros_ec_keyb_work\n  blocking_notifier_call_chain\n  ec_irq_thread\n\nIt's still unknown about why the kernel receives such malformed event,\nin any cases, the kernel shouldn't access `ckdev->idev` and friends if\nthe driver doesn't intend to initialize them."}],"providerMetadata":{"dateUpdated":"2026-05-11T21:45:57.409Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/d74864291cb8bd784d44d1d02e87109cf88666bb"},{"url":"https://git.kernel.org/stable/c/9cf59f4724a9ee06ebb06c76b8678ac322e850b7"},{"url":"https://git.kernel.org/stable/c/6d81068685154535af06163eb585d6d9663ec7ec"},{"url":"https://git.kernel.org/stable/c/2d251c15c27e2dd16d6318425d2f7260cbd47d39"},{"url":"https://git.kernel.org/stable/c/e08969c4d65ac31297fcb4d31d4808c789152f68"}],"title":"Input: cros_ec_keyb - fix an invalid memory access","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2025-40263","datePublished":"2025-12-04T16:08:23.327Z","dateReserved":"2025-04-16T07:20:57.182Z","dateUpdated":"2026-06-02T13:00:15.067Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-12-04 16:16:20","lastModifiedDate":"2026-06-02 14:16:32","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"40263","Ordinal":"1","Title":"Input: cros_ec_keyb - fix an invalid memory access","CVE":"CVE-2025-40263","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"40263","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cros_ec_keyb - fix an invalid memory access\n\nIf cros_ec_keyb_register_matrix() isn't called (due to\n`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains\nNULL.  An invalid memory access is observed in cros_ec_keyb_process()\nwhen receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()\nin such case.\n\n  Unable to handle kernel read from unreadable memory at virtual address 0000000000000028\n  ...\n  x3 : 0000000000000000 x2 : 0000000000000000\n  x1 : 0000000000000000 x0 : 0000000000000000\n  Call trace:\n  input_event\n  cros_ec_keyb_work\n  blocking_notifier_call_chain\n  ec_irq_thread\n\nIt's still unknown about why the kernel receives such malformed event,\nin any cases, the kernel shouldn't access `ckdev->idev` and friends if\nthe driver doesn't intend to initialize them.","Type":"Description","Title":"Input: cros_ec_keyb - fix an invalid memory access"}]}}}