CVE-2025-22070 in Linux
Summary
by MITRE • 04/16/2025
In the Linux kernel, the following vulnerability has been resolved:
fs/9p: fix NULL pointer dereference on mkdir
When a 9p tree was mounted with option 'posixacl', parent directory had a default ACL set for its subdirectories, e.g.:
setfacl -m default:group:simpsons:rwx parentdir
then creating a subdirectory crashed 9p client, as v9fs_fid_add() call in function v9fs_vfs_mkdir_dotl() sets the passed 'fid' pointer to NULL (since dafbe689736) even though the subsequent v9fs_set_create_acl() call expects a valid non-NULL 'fid' pointer:
[ 37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000
... [ 37.322338] Call Trace:
[ 37.323043]
[ 37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
[ 37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714)
[ 37.325532] ? search_module_extables (kernel/module/main.c:3733)
[ 37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet
[ 37.328006] ? search_bpf_extables (kernel/bpf/core.c:804)
[ 37.329142] ? exc_page_fault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538)
[ 37.330196] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574)
[ 37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet
[ 37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p
[ 37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p
[ 37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p
[ 37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p
[ 37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p
[ 37.338590] vfs_mkdir (fs/namei.c:4313)
[ 37.339535] do_mkdirat (fs/namei.c:4336)
[ 37.340465] __x64_sys_mkdir (fs/namei.c:4354)
[ 37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Fix this by simply swapping the sequence of these two calls in v9fs_vfs_mkdir_dotl(), i.e. calling v9fs_set_create_acl() before v9fs_fid_add().
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/15/2026
The vulnerability identified as CVE-2025-22070 represents a critical NULL pointer dereference flaw within the Linux kernel's 9p file system implementation, specifically affecting systems utilizing the 9p protocol with the posixacl mount option. This issue arises from a problematic interaction between two function calls within the directory creation process, creating a scenario where a previously valid file identifier pointer becomes nullified before being utilized by subsequent operations. The flaw manifests when a parent directory is configured with a default access control list that specifies permissions for subdirectories, such as the command setfacl -m default:group:simpsons:rwx parentdir, which establishes a default group permission structure for newly created subdirectories.
The technical root cause of this vulnerability lies in the improper sequencing of function calls within the v9fs_vfs_mkdir_dotl() function located in fs/9p/vfs_inode_dotl.c. Specifically, the v9fs_fid_add() function is invoked first, which explicitly sets the passed 'fid' pointer to NULL as part of its operation, likely to indicate that the file identifier has been processed and should no longer be referenced. However, this nullification occurs before the v9fs_set_create_acl() function is called, which requires a valid non-NULL 'fid' pointer to properly establish access control lists for the newly created directory. This sequence violation creates a direct path to kernel memory corruption and system instability, as evidenced by the kernel NULL pointer dereference error message and the stack trace showing the execution path from vfs_mkdir through the 9p subsystem to the final fault point.
The operational impact of this vulnerability extends beyond simple system crashes, representing a potential denial of service condition that could be exploited by malicious actors to disrupt file system operations or potentially escalate privileges. The vulnerability affects any Linux system running a kernel version that includes the problematic 9p implementation, particularly those utilizing 9p mounts with posixacl enabled for access control management. The flaw demonstrates characteristics consistent with CWE-476, which describes NULL pointer dereference vulnerabilities, and aligns with ATT&CK technique T1499.004, which covers network denial of service attacks through kernel-level exploitation. Systems that rely on 9p file sharing protocols for distributed computing environments, virtualization platforms, or network storage solutions are particularly at risk, as the crash can occur during routine directory creation operations when default ACLs are present.
The fix for this vulnerability involves a straightforward but critical reordering of function calls within the v9fs_vfs_mkdir_dotl() function, specifically executing v9fs_set_create_acl() before v9fs_fid_add(). This simple modification ensures that the file identifier pointer remains valid and populated when the ACL creation function requires it, preventing the NULL pointer dereference that leads to kernel panic and system crash. The resolution addresses the fundamental issue of improper state management in the 9p file system implementation and restores proper function call sequencing. System administrators should prioritize applying this kernel patch to all affected systems, particularly those running 9p mounts with posixacl options, as the vulnerability can be triggered through normal file system operations without requiring special privileges or complex exploitation techniques. The fix represents a defensive programming approach that prevents state corruption by ensuring proper temporal ordering of operations that depend on shared mutable state, thereby maintaining system stability and preventing unauthorized disruption of file system services.