CVE-2025-37784 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
net: ti: icss-iep: Fix possible NULL pointer dereference for perout request
The ICSS IEP driver tracks perout and pps enable state with flags. Currently when disabling pps and perout signals during icss_iep_exit(), results in NULL pointer dereference for perout.
To fix the null pointer dereference issue, the icss_iep_perout_enable_hw function can be modified to directly clear the IEP CMP registers when disabling PPS or PEROUT, without referencing the ptp_perout_request structure, as its contents are irrelevant in this case.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/16/2026
The vulnerability CVE-2025-37784 represents a critical null pointer dereference issue within the Linux kernel's ICSS IEP (Industrial Communication Subsystem Interrupt Event Processor) driver. This driver operates within the industrial networking subsystem and manages precise timing signals for real-time communication protocols. The flaw manifests specifically during the driver shutdown process when icss_iep_exit() attempts to disable both PPS (Pulse Per Second) and perout (periodic output) signals. The issue stems from improper state management where the driver references a null pointer when attempting to access the ptp_perout_request structure during cleanup operations, leading to potential system crashes or denial of service conditions.
The technical root cause of this vulnerability lies in the improper handling of hardware state transitions within the ICSS IEP driver. When disabling timing signals during driver exit, the code path attempts to access the ptp_perout_request structure which may have been freed or never properly initialized. This pattern directly corresponds to CWE-476 which defines null pointer dereference vulnerabilities, where a program attempts to access a memory location through a pointer that has a null value. The specific function icss_iep_perout_enable_hw becomes problematic because it relies on structure contents that are no longer valid during the shutdown sequence, creating a scenario where the driver cannot properly manage its hardware resources.
From an operational impact perspective, this vulnerability poses significant risks to industrial systems that depend on precise timing and real-time communication capabilities. The Linux kernel's ICSS IEP driver is commonly utilized in industrial automation, process control, and embedded systems where reliable timing signals are essential for maintaining system integrity and operational safety. A null pointer dereference during driver exit can result in complete system crashes, forcing unexpected reboots that may disrupt critical industrial processes. This vulnerability could be particularly dangerous in environments where continuous operation is required, as it may lead to extended downtime and potential safety hazards in industrial control systems.
The mitigation strategy for this vulnerability involves modifying the icss_iep_perout_enable_hw function to directly manipulate the IEP CMP (Compare) registers without relying on the ptp_perout_request structure contents. This approach aligns with defensive programming principles and follows the principle of least privilege by ensuring that hardware state changes occur independently of potentially invalid data structures. The fix eliminates the dependency on the structure that may be in an inconsistent state during driver shutdown, allowing the hardware to be properly disabled through direct register manipulation. This solution also reflects ATT&CK technique T1070.004 which involves the use of system logs and monitoring to detect abnormal behavior, as the proper direct hardware manipulation approach reduces the likelihood of runtime errors that could otherwise go unnoticed. The recommended fix ensures that the driver can gracefully handle its shutdown sequence regardless of the state of associated data structures, thereby maintaining system stability and preventing denial of service conditions that could affect industrial automation systems relying on precise timing capabilities.