CVE-2025-22065 (GCVE-0-2025-22065)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:11
VLAI
Title
idpf: fix adapter NULL pointer dereference on reboot
Summary
In the Linux kernel, the following vulnerability has been resolved: idpf: fix adapter NULL pointer dereference on reboot With SRIOV enabled, idpf ends up calling into idpf_remove() twice. First via idpf_shutdown() and then again when idpf_remove() calls into sriov_disable(), because the VF devices use the idpf driver, hence the same remove routine. When that happens, it is possible for the adapter to be NULL from the first call to idpf_remove(), leading to a NULL pointer dereference. echo 1 > /sys/class/net/<netif>/device/sriov_numvfs reboot BUG: kernel NULL pointer dereference, address: 0000000000000020 ... RIP: 0010:idpf_remove+0x22/0x1f0 [idpf] ... ? idpf_remove+0x22/0x1f0 [idpf] ? idpf_remove+0x1e4/0x1f0 [idpf] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19f/0x200 pci_stop_bus_device+0x6d/0x90 pci_stop_and_remove_bus_device+0x12/0x20 pci_iov_remove_virtfn+0xbe/0x120 sriov_disable+0x34/0xe0 idpf_sriov_configure+0x58/0x140 [idpf] idpf_remove+0x1b9/0x1f0 [idpf] idpf_shutdown+0x12/0x30 [idpf] pci_device_shutdown+0x35/0x60 device_shutdown+0x156/0x200 ... Replace the direct idpf_remove() call in idpf_shutdown() with idpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform the bulk of the cleanup, such as stopping the init task, freeing IRQs, destroying the vports and freeing the mailbox. This avoids the calls to sriov_disable() in addition to a small netdev cleanup, and destroying workqueues, which don't seem to be required on shutdown.
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: e850efed5e152e6bdd367d5b82019f21298c0653 , < 79618e952ef4dfa1a17ee0631d5549603fab58d8 (git)
Affected: e850efed5e152e6bdd367d5b82019f21298c0653 , < 88a6d562e92a295648f8636acf2a6aa714241771 (git)
Affected: e850efed5e152e6bdd367d5b82019f21298c0653 , < 9fc9b3dc0d0c189ed205acf1e5fbd73e0becc4d6 (git)
Affected: e850efed5e152e6bdd367d5b82019f21298c0653 , < 4c9106f4906a85f6b13542d862e423bcdc118cc3 (git)
Create a notification for this product.
Linux Linux Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22065",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:40:33.775371Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:40:36.862Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "79618e952ef4dfa1a17ee0631d5549603fab58d8",
              "status": "affected",
              "version": "e850efed5e152e6bdd367d5b82019f21298c0653",
              "versionType": "git"
            },
            {
              "lessThan": "88a6d562e92a295648f8636acf2a6aa714241771",
              "status": "affected",
              "version": "e850efed5e152e6bdd367d5b82019f21298c0653",
              "versionType": "git"
            },
            {
              "lessThan": "9fc9b3dc0d0c189ed205acf1e5fbd73e0becc4d6",
              "status": "affected",
              "version": "e850efed5e152e6bdd367d5b82019f21298c0653",
              "versionType": "git"
            },
            {
              "lessThan": "4c9106f4906a85f6b13542d862e423bcdc118cc3",
              "status": "affected",
              "version": "e850efed5e152e6bdd367d5b82019f21298c0653",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix adapter NULL pointer dereference on reboot\n\nWith SRIOV enabled, idpf ends up calling into idpf_remove() twice.\nFirst via idpf_shutdown() and then again when idpf_remove() calls into\nsriov_disable(), because the VF devices use the idpf driver, hence the\nsame remove routine. When that happens, it is possible for the adapter\nto be NULL from the first call to idpf_remove(), leading to a NULL\npointer dereference.\n\necho 1 \u003e /sys/class/net/\u003cnetif\u003e/device/sriov_numvfs\nreboot\n\nBUG: kernel NULL pointer dereference, address: 0000000000000020\n...\nRIP: 0010:idpf_remove+0x22/0x1f0 [idpf]\n...\n? idpf_remove+0x22/0x1f0 [idpf]\n? idpf_remove+0x1e4/0x1f0 [idpf]\npci_device_remove+0x3f/0xb0\ndevice_release_driver_internal+0x19f/0x200\npci_stop_bus_device+0x6d/0x90\npci_stop_and_remove_bus_device+0x12/0x20\npci_iov_remove_virtfn+0xbe/0x120\nsriov_disable+0x34/0xe0\nidpf_sriov_configure+0x58/0x140 [idpf]\nidpf_remove+0x1b9/0x1f0 [idpf]\nidpf_shutdown+0x12/0x30 [idpf]\npci_device_shutdown+0x35/0x60\ndevice_shutdown+0x156/0x200\n...\n\nReplace the direct idpf_remove() call in idpf_shutdown() with\nidpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform\nthe bulk of the cleanup, such as stopping the init task, freeing IRQs,\ndestroying the vports and freeing the mailbox. This avoids the calls to\nsriov_disable() in addition to a small netdev cleanup, and destroying\nworkqueues, which don\u0027t seem to be required on shutdown."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:11:57.792Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/79618e952ef4dfa1a17ee0631d5549603fab58d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/88a6d562e92a295648f8636acf2a6aa714241771"
        },
        {
          "url": "https://git.kernel.org/stable/c/9fc9b3dc0d0c189ed205acf1e5fbd73e0becc4d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c9106f4906a85f6b13542d862e423bcdc118cc3"
        }
      ],
      "title": "idpf: fix adapter NULL pointer dereference on reboot",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22065",
    "datePublished": "2025-04-16T14:12:19.492Z",
    "dateReserved": "2024-12-29T08:45:45.813Z",
    "dateUpdated": "2026-05-11T21:11:57.792Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-22065",
      "date": "2026-06-15",
      "epss": "0.00208",
      "percentile": "0.10824"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-22065\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-16T15:16:00.713\",\"lastModified\":\"2025-10-01T18:15:44.227\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nidpf: fix adapter NULL pointer dereference on reboot\\n\\nWith SRIOV enabled, idpf ends up calling into idpf_remove() twice.\\nFirst via idpf_shutdown() and then again when idpf_remove() calls into\\nsriov_disable(), because the VF devices use the idpf driver, hence the\\nsame remove routine. When that happens, it is possible for the adapter\\nto be NULL from the first call to idpf_remove(), leading to a NULL\\npointer dereference.\\n\\necho 1 \u003e /sys/class/net/\u003cnetif\u003e/device/sriov_numvfs\\nreboot\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000020\\n...\\nRIP: 0010:idpf_remove+0x22/0x1f0 [idpf]\\n...\\n? idpf_remove+0x22/0x1f0 [idpf]\\n? idpf_remove+0x1e4/0x1f0 [idpf]\\npci_device_remove+0x3f/0xb0\\ndevice_release_driver_internal+0x19f/0x200\\npci_stop_bus_device+0x6d/0x90\\npci_stop_and_remove_bus_device+0x12/0x20\\npci_iov_remove_virtfn+0xbe/0x120\\nsriov_disable+0x34/0xe0\\nidpf_sriov_configure+0x58/0x140 [idpf]\\nidpf_remove+0x1b9/0x1f0 [idpf]\\nidpf_shutdown+0x12/0x30 [idpf]\\npci_device_shutdown+0x35/0x60\\ndevice_shutdown+0x156/0x200\\n...\\n\\nReplace the direct idpf_remove() call in idpf_shutdown() with\\nidpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform\\nthe bulk of the cleanup, such as stopping the init task, freeing IRQs,\\ndestroying the vports and freeing the mailbox. This avoids the calls to\\nsriov_disable() in addition to a small netdev cleanup, and destroying\\nworkqueues, which don\u0027t seem to be required on shutdown.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: idpf: correcci\u00f3n de la desreferencia de puntero nulo del adaptador al reiniciar. Con SRIOV habilitado, idpf termina llamando a idpf_remove() dos veces. Primero mediante idpf_shutdown() y luego de nuevo cuando idpf_remove() llama a sriov_disable(), porque los dispositivos VF usan el controlador idpf, de ah\u00ed la misma rutina de eliminaci\u00f3n. Cuando esto sucede, es posible que el adaptador sea nulo desde la primera llamada a idpf_remove(), lo que provoca una desreferencia de puntero nulo. echo 1 \u0026gt; /sys/class/net//device/sriov_numvfs reboot BUG: desreferencia de puntero nulo del kernel, direcci\u00f3n: 000000000000020 ... RIP: 0010:idpf_remove+0x22/0x1f0 [idpf] ... ? idpf_remove+0x22/0x1f0 [idpf] ? idpf_remove+0x1e4/0x1f0 [idpf] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19f/0x200 pci_stop_bus_device+0x6d/0x90 pci_stop_and_remove_bus_device+0x12/0x20 pci_iov_remove_virtfn+0xbe/0x120 sriov_disable+0x34/0xe0 idpf_sriov_configure+0x58/0x140 [idpf] idpf_remove+0x1b9/0x1f0 [idpf] idpf_shutdown+0x12/0x30 [idpf] pci_device_shutdown+0x35/0x60 device_shutdown+0x156/0x200 ... Reemplace la llamada directa a idpf_remove() en idpf_shutdown() con idpf_vc_core_deinit() e idpf_deinit_dflt_mbx(), que realizan la mayor parte de la limpieza, como detener la tarea de inicializaci\u00f3n, liberar IRQ, destruir los puertos virtuales y liberar el buz\u00f3n. Esto evita las llamadas a sriov_disable(), adem\u00e1s de una peque\u00f1a limpieza de netdev y la destrucci\u00f3n de las colas de trabajo, que no parecen necesarias al apagar.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.23\",\"matchCriteriaId\":\"26CAB76D-F00F-43CE-BEAD-7097F8FB1D6C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.11\",\"matchCriteriaId\":\"E7E864B0-8C00-4679-BA55-659B4C9C3AD3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.14\",\"versionEndExcluding\":\"6.14.2\",\"matchCriteriaId\":\"FADAE5D8-4808-442C-B218-77B2CE8780A0\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4c9106f4906a85f6b13542d862e423bcdc118cc3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/79618e952ef4dfa1a17ee0631d5549603fab58d8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/88a6d562e92a295648f8636acf2a6aa714241771\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9fc9b3dc0d0c189ed205acf1e5fbd73e0becc4d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-22065\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-01T17:40:33.775371Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-476\", \"description\": \"CWE-476 NULL Pointer Dereference\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-01T14:41:02.256Z\"}}], \"cna\": {\"title\": \"idpf: fix adapter NULL pointer dereference on reboot\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"e850efed5e152e6bdd367d5b82019f21298c0653\", \"lessThan\": \"79618e952ef4dfa1a17ee0631d5549603fab58d8\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"e850efed5e152e6bdd367d5b82019f21298c0653\", \"lessThan\": \"88a6d562e92a295648f8636acf2a6aa714241771\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"e850efed5e152e6bdd367d5b82019f21298c0653\", \"lessThan\": \"9fc9b3dc0d0c189ed205acf1e5fbd73e0becc4d6\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"e850efed5e152e6bdd367d5b82019f21298c0653\", \"lessThan\": \"4c9106f4906a85f6b13542d862e423bcdc118cc3\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/ethernet/intel/idpf/idpf_main.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.7\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.7\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.12.23\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13.11\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.13.*\"}, {\"status\": \"unaffected\", \"version\": \"6.14.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.14.*\"}, {\"status\": \"unaffected\", \"version\": \"6.15\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/ethernet/intel/idpf/idpf_main.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/79618e952ef4dfa1a17ee0631d5549603fab58d8\"}, {\"url\": \"https://git.kernel.org/stable/c/88a6d562e92a295648f8636acf2a6aa714241771\"}, {\"url\": \"https://git.kernel.org/stable/c/9fc9b3dc0d0c189ed205acf1e5fbd73e0becc4d6\"}, {\"url\": \"https://git.kernel.org/stable/c/4c9106f4906a85f6b13542d862e423bcdc118cc3\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nidpf: fix adapter NULL pointer dereference on reboot\\n\\nWith SRIOV enabled, idpf ends up calling into idpf_remove() twice.\\nFirst via idpf_shutdown() and then again when idpf_remove() calls into\\nsriov_disable(), because the VF devices use the idpf driver, hence the\\nsame remove routine. When that happens, it is possible for the adapter\\nto be NULL from the first call to idpf_remove(), leading to a NULL\\npointer dereference.\\n\\necho 1 \u003e /sys/class/net/\u003cnetif\u003e/device/sriov_numvfs\\nreboot\\n\\nBUG: kernel NULL pointer dereference, address: 0000000000000020\\n...\\nRIP: 0010:idpf_remove+0x22/0x1f0 [idpf]\\n...\\n? idpf_remove+0x22/0x1f0 [idpf]\\n? idpf_remove+0x1e4/0x1f0 [idpf]\\npci_device_remove+0x3f/0xb0\\ndevice_release_driver_internal+0x19f/0x200\\npci_stop_bus_device+0x6d/0x90\\npci_stop_and_remove_bus_device+0x12/0x20\\npci_iov_remove_virtfn+0xbe/0x120\\nsriov_disable+0x34/0xe0\\nidpf_sriov_configure+0x58/0x140 [idpf]\\nidpf_remove+0x1b9/0x1f0 [idpf]\\nidpf_shutdown+0x12/0x30 [idpf]\\npci_device_shutdown+0x35/0x60\\ndevice_shutdown+0x156/0x200\\n...\\n\\nReplace the direct idpf_remove() call in idpf_shutdown() with\\nidpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform\\nthe bulk of the cleanup, such as stopping the init task, freeing IRQs,\\ndestroying the vports and freeing the mailbox. This avoids the calls to\\nsriov_disable() in addition to a small netdev cleanup, and destroying\\nworkqueues, which don\u0027t seem to be required on shutdown.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.23\", \"versionStartIncluding\": \"6.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.13.11\", \"versionStartIncluding\": \"6.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.14.2\", \"versionStartIncluding\": \"6.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.15\", \"versionStartIncluding\": \"6.7\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-26T05:17:42.099Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-22065\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-01T17:40:36.862Z\", \"dateReserved\": \"2024-12-29T08:45:45.813Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-04-16T14:12:19.492Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.