#VU107696 NULL pointer dereference in Linux kernel - CVE-2025-38240
Vulnerability identifier: #VU107696
Vulnerability risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-476
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the mtk_dp_parse_capabilities() and mtk_dp_wait_hpd_asserted() functions in drivers/gpu/drm/mediatek/mtk_dp.c. A local user can perform a denial of service (DoS) attack.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Linux kernel: 6.12, 6.12.1, 6.12.2, 6.12.3, 6.12.4, 6.12.5, 6.12.6, 6.12.7, 6.12.8, 6.12.9, 6.12.10, 6.12.11, 6.12.12, 6.12.13, 6.12.14, 6.12.15, 6.12.16, 6.12.17, 6.12.18, 6.12.19, 6.12.20, 6.12.21, 6.12.22
External links
https://git.kernel.org/stable/c/106a6de46cf4887d535018185ec528ce822d6d84
https://git.kernel.org/stable/c/13ec849fd2eab808ee8eba2625df7ebea3b85edf
https://git.kernel.org/stable/c/149a5c38436c229950cf1020992ce65c9549bc19
https://git.kernel.org/stable/c/2fda391ef7a701748abd7fa32232981b522c1e07
https://git.kernel.org/stable/c/57a9fb47551b33cde7b76d17c0072c3b394f4620
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.23
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
