Invalid Memory Access in Linux Kernel Cros EC Keyboard Driver
CVE-2025-40263

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 4 December 2025

What is CVE-2025-40263?

The Linux kernel's cros_ec_keyb driver contains a vulnerability where an invalid memory access occurs if the initialization function cros_ec_keyb_register_matrix() is not called. This issue arises when the driver receives an EC_MKBP_EVENT_KEY_MATRIX event without proper initialization, resulting in a failure to correctly handle the kernel's read operation from a null memory address. This vulnerability could potentially lead to system instability or exposure to further attacks, as the kernel accesses members that should remain uninitialized.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 7bfd959187f2c7584bb43280bbc7b2846e7a5085

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 9cf59f4724a9ee06ebb06c76b8678ac322e850b7

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 6d81068685154535af06163eb585d6d9663ec7ec

References

https://git.kernel.org/stable/c/7bfd959187f2c7584bb43280b...

https://git.kernel.org/stable/c/9cf59f4724a9ee06ebb06c76b...

https://git.kernel.org/stable/c/6d81068685154535af06163eb...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2025
Vulnerability Reserved
Apr 16, 2025

JSON