CVE-2025-21713 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
powerpc/pseries/iommu: Don't unset window if it was never set
On pSeries, when user attempts to use the same vfio container used by different iommu group, the spapr_tce_set_window() returns -EPERM and the subsequent cleanup leads to the below crash.
Kernel attempted to read user page (308) - exploit attempt? BUG: Kernel NULL pointer dereference on read at 0x00000308 Faulting instruction address: 0xc0000000001ce358 Oops: Kernel access of bad area, sig: 11 [#1]
NIP: c0000000001ce358 LR: c0000000001ce05c CTR: c00000000005add0 NIP [c0000000001ce358] spapr_tce_unset_window+0x3b8/0x510
LR [c0000000001ce05c] spapr_tce_unset_window+0xbc/0x510
Call Trace: spapr_tce_unset_window+0xbc/0x510 (unreliable) tce_iommu_attach_group+0x24c/0x340 [vfio_iommu_spapr_tce]
vfio_container_attach_group+0xec/0x240 [vfio]
vfio_group_fops_unl_ioctl+0x548/0xb00 [vfio]
sys_ioctl+0x754/0x1580 system_call_exception+0x13c/0x330 system_call_vectored_common+0x15c/0x2ec --- interrupt: 3000
Fix this by having null check for the tbl passed to the spapr_tce_unset_window().
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/25/2026
The vulnerability CVE-2025-21713 affects the Linux kernel's powerpc/pseries/iommu subsystem, specifically within the spapr_tce_set_window function that handles IOMMU window management for virtual function I/O (VFIO) containers. This issue arises when users attempt to utilize the same VFIO container across different IOMMU groups, a scenario that should be properly handled by the kernel's memory management subsystem. The problem manifests as a kernel NULL pointer dereference that occurs during cleanup operations following an EPERM error return from spapr_tce_set_window, which is designed to prevent unauthorized access to IOMMU resources.
The technical flaw stems from inadequate null pointer validation within the spapr_tce_unset_window function, which is called during the cleanup phase of IOMMU operations. When the kernel encounters a situation where the same VFIO container is being used across multiple IOMMU groups, the spapr_tce_set_window function appropriately returns -EPERM to indicate the operation is forbidden. However, the subsequent cleanup process fails to validate whether the table (tbl) parameter passed to spapr_tce_unset_window is valid before attempting to access it. This oversight leads to a NULL pointer dereference at address 0x00000308, causing an immediate kernel crash with a SIGSEGV signal. The faulting instruction address 0xc0000000001ce358 specifically points to the spapr_tce_unset_window function where the invalid memory access occurs, making this a clear case of improper resource management.
The operational impact of this vulnerability is severe as it can lead to complete system crashes and potential denial of service conditions on systems running the affected Linux kernel versions. The crash occurs during legitimate user operations involving VFIO container management, making it particularly dangerous in production environments where system stability is critical. This vulnerability affects pSeries systems that utilize the SPAPR (Shared Processor Architecture) TCE (Translation Control Entry) IOMMU implementation, which is commonly found in IBM Power Systems environments. The issue represents a classic null pointer dereference problem that can be exploited to cause system instability, though the primary concern is the unexpected crash rather than direct privilege escalation or data compromise.
The fix implemented addresses the root cause by adding a null check for the table parameter before it is accessed within spapr_tce_unset_window. This defensive programming approach prevents the kernel from attempting to read from a NULL memory address, thereby eliminating the crash condition. The solution aligns with security best practices for kernel development and follows the principle of validating all input parameters before use. This vulnerability can be categorized under CWE-476 as a NULL Pointer Dereference, and it relates to the ATT&CK technique T1499.004 which involves system network configuration modification and T1566.002 related to phishing via social engineering. Organizations should prioritize applying the kernel patch that implements this null check to prevent potential system crashes and maintain operational continuity in environments utilizing pSeries hardware with VFIO container functionality. The fix ensures proper error handling and resource management in the IOMMU subsystem, preventing the kernel from crashing when encountering edge cases in VFIO container usage patterns.