CVE-2025-68758 Overview
A vulnerability has been identified in the Linux kernel's LED backlight subsystem (led-bl) that results in a null pointer dereference during device removal operations. The issue stems from incorrect devlink supplier-producer relationship creation when the supplier is a class device, causing improper removal ordering between LED backlight consumers and their supplier LED class devices.
Critical Impact
Systems using LED backlight with LED class device suppliers (such as PCA9632 LED driver chips) may experience kernel crashes when device tree overlays are removed or when devices are unbound in an unexpected order, leading to system instability and potential denial of service.
Affected Products
- Linux kernel with LED backlight (led-bl) driver enabled
- Systems utilizing device tree overlays with LED backlight configurations
- Embedded systems using PCA9632 or similar LED driver chips with backlight functionality
Discovery Timeline
- 2026-01-05 - CVE CVE-2025-68758 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-68758
Vulnerability Analysis
The LED Backlight driver acts as a consumer of one or multiple LED class devices. Under normal operation, the devlink subsystem should create supplier-producer links that enforce proper device removal ordering. However, when the supplier is a class device (rather than a platform device), devlink incorrectly establishes the link with the parent of the expected device instead of the device itself.
For example, in a configuration where backlight-addon consumes from pca9632@62, the devlink should connect backlight-addon (consumer) to pca9632@62 (supplier). Instead, the link is incorrectly created between backlight-addon and the parent I2C bus adapter of pca9632@62.
This incorrect linkage means the kernel cannot properly enforce removal ordering. When the overlay is removed or when devices are manually unbound, the LED driver may be removed before the backlight device that depends on it. This results in a null pointer dereference in the led_put() function when the backlight driver attempts to release an already-freed LED resource.
Root Cause
The root cause is the devlink subsystem's inability to correctly identify class devices as suppliers. When processing supplier-consumer relationships, devlink traverses to the parent device rather than recognizing the class device itself as the proper supplier endpoint. This architectural limitation in the devlink handling of class devices leads to broken dependency chains.
Attack Vector
This vulnerability is triggered locally through device management operations. An attacker with sufficient privileges to manage device tree overlays or unbind kernel drivers could intentionally trigger the null pointer dereference. The vulnerability can be reproduced without device tree overlays by unbinding the LED class device before unbinding the consumer:
The crash occurs in the led_put() function at offset 0xe0/0x140 when called through devm_led_release() at offset 0x6c/0x98, attempting to access memory at virtual address 0x0000000000000010 which represents a null pointer dereference with an offset.
Detection Methods for CVE-2025-68758
Indicators of Compromise
- Kernel panic or oops messages referencing led_put or devm_led_release functions
- System logs showing "Unable to handle kernel NULL pointer dereference" at virtual address 0x0000000000000010
- Unexpected system crashes during device tree overlay removal operations
- Crashes occurring when unbinding LED driver devices via sysfs
Detection Strategies
- Monitor kernel logs for null pointer dereference exceptions in LED subsystem functions
- Implement system monitoring for unexpected kernel panics on embedded systems using LED backlight functionality
- Review device tree configurations for led-backlight compatible entries that reference LED class devices
Monitoring Recommendations
- Enable kernel crash dump collection to capture detailed information about null pointer dereferences
- Set up automated alerting for kernel oops messages containing led_put or led-bl references
- Monitor sysfs device binding/unbinding operations on systems with LED backlight configurations
How to Mitigate CVE-2025-68758
Immediate Actions Required
- Apply the kernel patches from the stable kernel tree as soon as available for your distribution
- Avoid removing device tree overlays containing LED backlight configurations on production systems until patched
- Ensure proper unbind ordering by removing LED backlight consumers before LED suppliers when manual operations are required
- Review and restrict access to driver unbind interfaces in sysfs
Patch Information
The fix adds a proper devlink between the consuming led-backlight device and the supplying LED device, following the same pattern used by other drivers and subsystems. Multiple commits have been applied to the stable kernel tree:
Workarounds
- Avoid dynamic loading/unloading of LED backlight device tree overlays on affected systems
- When manual device unbinding is necessary, always unbind the backlight consumer device before unbinding the LED supplier device
- Consider disabling the led-bl driver module if LED backlight functionality is not required
# Workaround: Proper unbind ordering (unbind consumer before supplier)
# First unbind the LED backlight consumer
echo backlight-addon > /sys/bus/platform/drivers/led-backlight/unbind
# Then unbind the LED supplier device
echo 11-0062 > /sys/bus/i2c/drivers/leds-pca963x/unbind
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
