CVE-2025-22065 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

idpf: fix adapter NULL pointer dereference on reboot

With SRIOV enabled, idpf ends up calling into idpf_remove() twice. First via idpf_shutdown() and then again when idpf_remove() calls into sriov_disable(), because the VF devices use the idpf driver, hence the same remove routine. When that happens, it is possible for the adapter to be NULL from the first call to idpf_remove(), leading to a NULL pointer dereference.

echo 1 > /sys/class/net//device/sriov_numvfs reboot

BUG: kernel NULL pointer dereference, address: 0000000000000020 ... RIP: 0010:idpf_remove+0x22/0x1f0 [idpf]
... ? idpf_remove+0x22/0x1f0 [idpf]
? idpf_remove+0x1e4/0x1f0 [idpf]
pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19f/0x200 pci_stop_bus_device+0x6d/0x90 pci_stop_and_remove_bus_device+0x12/0x20 pci_iov_remove_virtfn+0xbe/0x120 sriov_disable+0x34/0xe0 idpf_sriov_configure+0x58/0x140 [idpf]
idpf_remove+0x1b9/0x1f0 [idpf]
idpf_shutdown+0x12/0x30 [idpf]
pci_device_shutdown+0x35/0x60 device_shutdown+0x156/0x200 ...

Replace the direct idpf_remove() call in idpf_shutdown() with idpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform the bulk of the cleanup, such as stopping the init task, freeing IRQs, destroying the vports and freeing the mailbox. This avoids the calls to sriov_disable() in addition to a small netdev cleanup, and destroying workqueues, which don't seem to be required on shutdown.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability described in CVE-2025-22065 represents a critical NULL pointer dereference issue within the Linux kernel's Intel Data Plane Function (idpf) driver implementation. This flaw manifests specifically when Single Root I/O Virtualization (SRIOV) is enabled on systems utilizing the idpf driver, creating a scenario where the driver's removal routine executes twice during system reboot operations. The root cause stems from the driver's architecture where idpf_remove() is invoked both through the standard device removal path and again during the shutdown sequence via sriov_disable() function call, leading to improper state management and resource cleanup.

The technical implementation of this vulnerability occurs when the system attempts to shut down the network interface while SRIOV is active. During the reboot process, the idpf_shutdown() function directly calls idpf_remove() which then proceeds to invoke sriov_disable() as part of its cleanup sequence. However, since Virtual Function (VF) devices also utilize the idpf driver, the same remove routine gets executed again, causing the adapter structure to be freed during the first invocation. When the second call attempts to access this already freed memory location, the kernel experiences a NULL pointer dereference at address 0x0000000000000020, resulting in a kernel oops and system instability. This behavior directly corresponds to CWE-476 which identifies NULL pointer dereference vulnerabilities in software systems.

The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise system stability and availability in production environments. The issue occurs during normal system shutdown procedures when users execute commands such as echo 1 > /sys/class/net//device/sriov_numvfs followed by a reboot operation, making it particularly concerning for server environments where reliable shutdown procedures are critical. The call stack analysis reveals a complex interaction pattern involving multiple kernel subsystems including PCI device management, device shutdown sequences, and SRIOV virtualization handling, indicating that this vulnerability affects the fundamental device management infrastructure of the Linux kernel.

The recommended mitigation strategy involves modifying the shutdown procedure to avoid the redundant idpf_remove() call by replacing it with more targeted cleanup functions. Specifically, the fix implements idpf_vc_core_deinit() and idpf_deinit_dflt_mbx() functions that handle the core cleanup operations including stopping initialization tasks, freeing interrupt resources, destroying virtual ports, and managing mailbox cleanup operations. This approach eliminates the problematic sriov_disable() calls and avoids unnecessary netdev cleanup and workqueue destruction operations that are not required during system shutdown. This solution aligns with ATT&CK technique T1490 which addresses the exploitation of system shutdown and reboot procedures to create denial of service conditions. The fix essentially implements a defensive programming pattern that prevents double-free conditions and ensures proper resource management during system transitions, thereby addressing the core architectural flaw in the driver's shutdown handling mechanism.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00216

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!