CVE-2025-22044 in Linux
Summary
by MITRE • 04/16/2025
In the Linux kernel, the following vulnerability has been resolved:
acpi: nfit: fix narrowing conversion in acpi_nfit_ctl
Syzkaller has reported a warning in to_nfit_bus_uuid(): "only secondary bus families can be translated". This warning is emited if the argument is equal to NVDIMM_BUS_FAMILY_NFIT == 0. Function acpi_nfit_ctl() first verifies that a user-provided value call_pkg->nd_family of type u64 is not equal to 0. Then the value is converted to int, and only after that is compared to NVDIMM_BUS_FAMILY_MAX. This can lead to passing an invalid argument to acpi_nfit_ctl(), if call_pkg->nd_family is non-zero, while the lower 32 bits are zero.
Furthermore, it is best to return EINVAL immediately upon seeing the invalid user input. The WARNING is insufficient to prevent further undefined behavior based on other invalid user input.
All checks of the input value should be applied to the original variable call_pkg->nd_family.
[iweiny: update commit message]
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/15/2026
The vulnerability described in CVE-2025-22044 resides within the Linux kernel's ACPI nfit subsystem, specifically in the acpi_nfit_ctl() function that handles NVDIMM (Non-Volatile Dual In-line Memory Module) device operations. This issue represents a narrowing conversion flaw that occurs during the processing of user-supplied parameters for NVDIMM bus family identification. The vulnerability manifests when the kernel attempts to validate and process a u64 type parameter called call_pkg->nd_family, which should represent the NVDIMM bus family identifier. The flaw stems from improper order of operations in the validation logic where the parameter undergoes type conversion before complete validation, creating a potential path for invalid inputs to bypass security checks.
The technical implementation of this vulnerability involves a specific sequence of operations that violates proper input validation practices. When the acpi_nfit_ctl() function processes user input, it first checks if call_pkg->nd_family is not equal to zero, then converts the u64 value to int type, and subsequently compares it against NVDIMM_BUS_FAMILY_MAX. This ordering creates a scenario where a 64-bit value with non-zero upper bits but zero lower 32 bits can pass initial validation while still being invalid. The warning message "only secondary bus families can be translated" indicates that the system incorrectly interprets the zero lower 32 bits as a valid secondary bus family identifier, despite the value being outside the acceptable range for primary bus families. This narrowing conversion from u64 to int creates an implicit data loss that allows malicious or malformed inputs to slip through validation mechanisms.
The operational impact of this vulnerability extends beyond simple input validation failure to potentially enable privilege escalation and system instability. The improper handling of user-provided NVDIMM bus family identifiers could allow attackers to craft malicious inputs that bypass kernel security checks, potentially leading to unauthorized access to NVDIMM subsystem operations or causing denial of service conditions through invalid parameter processing. The vulnerability affects systems using the ACPI NVDIMM Interface (NFIT) specification, which is critical for memory subsystem management in modern server and enterprise environments. According to CWE classification, this represents a CWE-190: Integer Overflow or Wraparound, specifically manifesting as improper input validation during type conversion operations. The flaw also aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation, as it could potentially be leveraged to gain elevated privileges within the kernel space where NVDIMM operations are handled.
Mitigation strategies for this vulnerability require immediate kernel updates that implement proper input validation order and return appropriate error codes for invalid inputs. The recommended fix involves validating the original u64 parameter against all bounds before any type conversion occurs, ensuring that all checks are applied to the original variable call_pkg->nd_family rather than intermediate converted values. System administrators should prioritize patching affected kernel versions, particularly those running on servers with NVDIMM hardware that rely on the NFIT interface for memory management. Additionally, monitoring for unusual NVDIMM subsystem activity and implementing proper input sanitization at the kernel level can help detect potential exploitation attempts. The fix should ensure that EINVAL is returned immediately upon detecting invalid user input, preventing further processing that could lead to undefined behavior or system instability. Organizations using virtualized environments or cloud infrastructure with persistent memory capabilities should also verify their kernel versions and apply patches to maintain security integrity across their entire infrastructure stack.