CVE-2025-71193
NULL Pointer Dereference in Linux qcom-qusb2 PHY Runtime PM
Publication date: 2026-02-04
Last updated on: 2026-02-04
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qualcomm | qcom_qusb2 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's Qualcomm QUSB2 PHY driver. It involves a NULL pointer dereference that can occur during early suspend operations.
The issue arises because runtime power management (PM) is enabled before the QPHY instance is attached as driver data. This creates a small timing window where runtime PM callbacks expect valid driver data but receive a NULL pointer instead.
As a result, a sporadic crash can happen during system boot, caused by the kernel trying to dereference a NULL pointer in the runtime suspend callback.
The fix involves attaching the QPHY instance as driver data before enabling runtime PM, reordering runtime PM enable and forbid calls to close the timing window, and using devres-managed functions to ensure proper cleanup during driver removal.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash sporadically during system boot due to a NULL pointer dereference in the Qualcomm QUSB2 PHY driver.
Such crashes can lead to system instability, unexpected reboots, or failure to boot properly, which may disrupt normal device operation.
The impact is primarily on system reliability and availability rather than direct data compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes a sporadic crash during boot due to a NULL pointer dereference in runtime PM callbacks related to the qcom-qusb2 driver.
Detection can be done by checking for kernel crash logs or messages similar to the following during system boot or runtime:
- Look for kernel messages containing "Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1".
- Check for stack traces referencing "qusb2_phy_runtime_suspend" and "pm_generic_runtime_suspend" in kernel logs.
You can use commands such as:
- dmesg | grep -i 'NULL pointer dereference'
- journalctl -k | grep -i 'qusb2_phy_runtime_suspend'
- journalctl -k | grep -i 'pm_runtime_work'
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the QPHY instance is attached as driver data before enabling runtime PM.
Additionally, reorder the calls to pm_runtime_enable() and pm_runtime_forbid() to prevent the short window where an unnecessary runtime suspend can occur.
Use the devres-managed version of runtime PM functions to ensure that runtime PM is symmetrically disabled during driver removal, which helps proper cleanup and prevents crashes.