CVE-2025-39854
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-19

Last updated on: 2025-12-12

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ice: fix NULL access of tx->in_use in ice_ll_ts_intr Recent versions of the E810 firmware have support for an extra interrupt to handle report of the "low latency" Tx timestamps coming from the specialized low latency firmware interface. Instead of polling the registers, software can wait until the low latency interrupt is fired. This logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as it uses the same "ready" bitmap to track which Tx timestamps complete. Unfortunately, the ice_ll_ts_intr() function does not check if the tracker is initialized before its first access. This results in NULL dereference or use-after-free bugs similar to the issues fixed in the ice_ptp_ts_irq() function. Fix this by only checking the in_use bitmap (and other fields) if the tracker is marked as initialized. The reset flow will clear the init field under lock before it tears the tracker down, thus preventing any use-after-free or NULL access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-19
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-09-19
EPSS Evaluated
2026-06-14
NVD
CVE-2025-39854
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.8 (inc) to 6.12.46 (exc)
linux linux_kernel From 6.13 (inc) to 6.16.6 (exc)
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel involves the ice_ll_ts_intr() function, which handles low latency Tx timestamps from specialized firmware. The function does not check if the Tx timestamp tracker is initialized before accessing it, leading to potential NULL pointer dereference or use-after-free bugs. This can cause crashes or undefined behavior in the kernel. The fix ensures the tracker is marked as initialized before accessing its fields, preventing these issues.

Impact Analysis

The vulnerability can cause the Linux kernel to crash or behave unpredictably due to NULL pointer dereference or use-after-free errors when handling low latency Tx timestamps. This can lead to system instability, potential denial of service, or other unexpected behavior affecting network performance or reliability.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for the ice_ll_ts_intr NULL access issue. This fix ensures that the tracker is checked for initialization before accessing its fields, preventing NULL dereference or use-after-free bugs. Until the update is applied, avoid using the low latency Tx timestamp feature that relies on the ice_ll_ts_intr function.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-39854. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart