CVE-2025-39887
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2025-12-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix null-ptr-deref in bitmap_parselist() A crash was observed with the following output: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 92 Comm: osnoise_cpus Not tainted 6.17.0-rc4-00201-gd69eb204c255 #138 PREEMPT(voluntary) RIP: 0010:bitmap_parselist+0x53/0x3e0 Call Trace: <TASK> osnoise_cpus_write+0x7a/0x190 vfs_write+0xf8/0x410 ? do_sys_openat2+0x88/0xd0 ksys_write+0x60/0xd0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This issue can be reproduced by below code: fd=open("/sys/kernel/debug/tracing/osnoise/cpus", O_WRONLY); write(fd, "0-2", 0); When user pass 'count=0' to osnoise_cpus_write(), kmalloc() will return ZERO_SIZE_PTR (16) and cpulist_parse() treat it as a normal value, which trigger the null pointer dereference. Add check for the parameter 'count'.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2025-12-11
Generated
2026-06-16
AI Q&A
2025-09-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-39887
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.16 (inc) to 6.16.8 (exc)
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel 6.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a null pointer dereference in the Linux kernel's tracing/osnoise component, specifically in the bitmap_parselist() function. It occurs when a user writes to /sys/kernel/debug/tracing/osnoise/cpus with a count parameter of zero, causing kmalloc() to return a ZERO_SIZE_PTR which is incorrectly treated as a valid pointer. This leads to a kernel crash (NULL pointer dereference). The issue was fixed by adding a check for the count parameter to prevent this condition.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference when the affected function is triggered. This can lead to system instability or denial of service, as the kernel may panic or become unresponsive.

Detection Guidance

This vulnerability can be detected by checking for kernel crash logs indicating a NULL pointer dereference in bitmap_parselist(), specifically looking for messages like 'BUG: kernel NULL pointer dereference, address: 0000000000000010' and call traces involving osnoise_cpus_write. You can also attempt to reproduce the issue by running commands that write to /sys/kernel/debug/tracing/osnoise/cpus with a zero count parameter, for example: 1) fd=$(sudo sh -c 'echo $$'); 2) sudo sh -c 'echo "0-2" > /sys/kernel/debug/tracing/osnoise/cpus' (Note: this may cause a kernel crash if vulnerable). Monitoring kernel logs with 'dmesg' or 'journalctl -k' for related Oops messages can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include updating the Linux kernel to a version where the vulnerability is fixed (post 6.17.0-rc4-00201-gd69eb204c255). Until then, avoid writing to /sys/kernel/debug/tracing/osnoise/cpus with a zero count parameter or untrusted input. Restrict access to the tracing subsystem to trusted users only to prevent exploitation. Monitoring and restricting usage of the osnoise tracing interface can reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-39887. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart