CVE-2025-71193
Unknown Unknown - Not Provided
NULL Pointer Dereference in Linux qcom-qusb2 PHY Runtime PM

Publication date: 2026-02-04

Last updated on: 2026-02-04

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data. There is a small window where the suspend callback may run after PM runtime enabling and before runtime forbid. This causes a sporadic crash during boot: ``` Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1 [...] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT Workqueue: pm pm_runtime_work pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2] lr : pm_generic_runtime_suspend+0x2c/0x44 [...] ``` Attach the QPHY instance as driver data before enabling runtime PM to prevent NULL pointer dereference in runtime PM callbacks. Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a short window where an unnecessary runtime suspend can occur. Use the devres-managed version to ensure PM runtime is symmetrically disabled during driver removal for proper cleanup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-04
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-14
NVD
CVE-2025-71193
EUVD
EUVD-2025-206805
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qualcomm qcom_qusb2 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Qualcomm QUSB2 PHY driver. It involves a NULL pointer dereference that can occur during early suspend operations.

The issue arises because runtime power management (PM) is enabled before the QPHY instance is attached as driver data. This creates a small timing window where runtime PM callbacks expect valid driver data but receive a NULL pointer instead.

As a result, a sporadic crash can happen during system boot, caused by the kernel trying to dereference a NULL pointer in the runtime suspend callback.

The fix involves attaching the QPHY instance as driver data before enabling runtime PM, reordering runtime PM enable and forbid calls to close the timing window, and using devres-managed functions to ensure proper cleanup during driver removal.

Impact Analysis

This vulnerability can cause the Linux kernel to crash sporadically during system boot due to a NULL pointer dereference in the Qualcomm QUSB2 PHY driver.

Such crashes can lead to system instability, unexpected reboots, or failure to boot properly, which may disrupt normal device operation.

The impact is primarily on system reliability and availability rather than direct data compromise.

Compliance Impact

I don't know

Detection Guidance

This vulnerability causes a sporadic crash during boot due to a NULL pointer dereference in runtime PM callbacks related to the qcom-qusb2 driver.

Detection can be done by checking for kernel crash logs or messages similar to the following during system boot or runtime:

  • Look for kernel messages containing "Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1".
  • Check for stack traces referencing "qusb2_phy_runtime_suspend" and "pm_generic_runtime_suspend" in kernel logs.

You can use commands such as:

  • dmesg | grep -i 'NULL pointer dereference'
  • journalctl -k | grep -i 'qusb2_phy_runtime_suspend'
  • journalctl -k | grep -i 'pm_runtime_work'
Mitigation Strategies

To mitigate this vulnerability, ensure that the QPHY instance is attached as driver data before enabling runtime PM.

Additionally, reorder the calls to pm_runtime_enable() and pm_runtime_forbid() to prevent the short window where an unnecessary runtime suspend can occur.

Use the devres-managed version of runtime PM functions to ensure that runtime PM is symmetrically disabled during driver removal, which helps proper cleanup and prevents crashes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71193. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart