CVE-2025-71233
NULL Pointer Dereference in Linux PCI Endpoint Sub-Group Creation
Publication date: 2026-02-18
Last updated on: 2026-03-18
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 6.19 (inc) to 6.19.1 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.164 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.72 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.11 (exc) |
| linux | linux_kernel | From 5.12 (inc) to 5.15.201 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.127 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's PCI endpoint functionality. It involves the asynchronous creation of sub-groups by a delayed work task. If the driver directory is removed before this delayed work completes, it can cause a NULL pointer dereference, leading to a kernel crash.
The issue arises because the delayed work uses the configfs_register_group() API, which can cause a deadlock and does not handle the timing correctly. The fix involves switching to the configfs_add_default_group() API, which avoids the deadlock and does not require the delayed work handler.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference. Such a crash can lead to system instability, downtime, and potential loss of data or service availability.
Because the crash can be easily reproduced by creating and removing directories rapidly in the PCI endpoint configuration filesystem, systems using this functionality may be vulnerable to denial of service attacks or accidental crashes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the crash condition on the affected system.
The following commands can be used to trigger the issue and observe a kernel NULL pointer dereference:
- # cd /sys/kernel/config/pci_ep/functions/pci_epf_test
- # for i in {1..20}; do mkdir test && rmdir test; done
If the system is vulnerable, these commands will cause a kernel crash with a NULL pointer dereference and a call trace involving configfs_register_group and pci_epf_cfs_work.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the fix involves changing the way sub-groups are created in the Linux kernel PCI endpoint driver.
Specifically, the vulnerable asynchronous creation of sub-groups using delayed work should be replaced by using the configfs_add_default_group() API.
This API avoids the deadlock problem and does not require the delayed work handler, preventing the NULL pointer dereference crash.