CVE-2025-38255

MEDIUM EPSS 3.4%
Published Jul 9, 202511mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jul 9, 2025 11mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() While testing null_blk with configfs, echo 0 > poll_queues will trigger following panic: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:__bitmap_or+0x48/0x70 Call Trace: <TASK> __group_cpus_evenly+0x822/0x8c0 group_cpus_evenly+0x2d9/0x490 blk_mq_map_queues+0x1e/0x110 null_map_queues+0xc9/0x170 [null_blk] blk_mq_update_queue_map+0xdb/0x160 blk_mq_update_nr_hw_queues+0x22b/0x560 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_poll_queues_store+0xa4/0x130 [null_blk] configfs_write_iter+0x109/0x1d0 vfs_write+0x26e/0x6f0 ksys_write+0x79/0x180 __x64_sys_write+0x1d/0x30 x64_sys_call+0x45c4/0x45f0 do_syscall_64+0xa5/0x240 entry_SYSCALL_64_after_hwframe+0x76/0x7e Root cause is that numgrps is set to 0, and ZERO_SIZE_PTR is returned from kcalloc(), and later ZERO_SIZE_PTR will be deferenced. Fix the problem by checking numgrps first in group_cpus_evenly(), and return NULL directly if numgrps is zero. [yukuai3@huawei.com: also fix the non-SMP version]

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
3.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel*≥6.3  –  <6.6.96
linuxlinux_kernel*≥6.7  –  <6.12.36
linuxlinux_kernel*≥6.13  –  <6.15.5
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any

References 4

  • git.kernel.org https://git.kernel.org/stable/c/29d39e0d5f16c060e32542b2cf351c09fd22b250
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/64a99eff8dcf1f951a544e6058341b2b19a8fdbd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/911ef2e8a7de5b2bae8ff11fb0bd01f699e6db65
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/df831e97739405ecbaddb85516bc7d4d1c933d6b
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/29d39e0d5f16c060e32542b2cf351c09fd22b250
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/64a99eff8dcf1f951a544e6058341b2b19a8fdbd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/911ef2e8a7de5b2bae8ff11fb0bd01f699e6db65
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/df831e97739405ecbaddb85516bc7d4d1c933d6b
    Patch