CVE-2025-38265 in Linuxinfo

Summary

by MITRE • 07/10/2025

In the Linux kernel, the following vulnerability has been resolved:

serial: jsm: fix NPE during jsm_uart_port_init

No device was set which caused serial_base_ctrl_add to crash.

BUG: kernel NULL pointer dereference, address: 0000000000000050 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 16 UID: 0 PID: 368 Comm: (udev-worker) Not tainted 6.12.25-amd64 #1 Debian 6.12.25-1 RIP: 0010:serial_base_ctrl_add+0x96/0x120 Call Trace: <TASK> serial_core_register_port+0x1a0/0x580 ? __setup_irq+0x39c/0x660 ? __kmalloc_cache_noprof+0x111/0x310 jsm_uart_port_init+0xe8/0x180 [jsm]
jsm_probe_one+0x1f4/0x410 [jsm]
local_pci_probe+0x42/0x90 pci_device_probe+0x22f/0x270 really_probe+0xdb/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8c/0xe0 bus_add_driver+0x112/0x1f0 driver_register+0x72/0xd0 jsm_init_module+0x36/0xff0 [jsm]
? __pfx_jsm_init_module+0x10/0x10 [jsm]
do_one_initcall+0x58/0x310 do_init_module+0x60/0x230

Tested with Digi Neo PCIe 8 port card.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 12/07/2025

The vulnerability identified as CVE-2025-38265 represents a critical null pointer dereference within the Linux kernel's serial communication subsystem, specifically affecting the jsm (JSM - JSM Serial Multiplexer) driver. This flaw manifests during the initialization process of serial uart ports, where the driver fails to properly establish a device reference before attempting to access it, leading to a kernel oops and potential system crash. The issue occurs when the serial_base_ctrl_add function is invoked without a valid device context, causing the kernel to attempt accessing memory at address 0x50 which results in an immediate system failure. The error trace indicates this vulnerability originates from the jsm_uart_port_init function within the jsm kernel module, specifically during the probe and initialization sequence of PCIe serial devices.

The technical root cause of this vulnerability stems from inadequate null pointer validation within the driver's initialization routine, where the device structure that should be populated during the jsm_uart_port_init process remains uninitialized or unset. This represents a classic null pointer dereference pattern that aligns with CWE-476, which defines null pointer dereference as a condition where a program attempts to access a memory location through a pointer that has a value of NULL. The flaw is particularly concerning because it occurs in kernel space during device initialization, meaning any attempt to enumerate or initialize a JSM-compatible serial device will trigger this condition, potentially affecting system stability and availability. The vulnerability is triggered when the kernel attempts to register a serial port through serial_core_register_port, which then calls serial_base_ctrl_add without proper device validation.

The operational impact of this vulnerability extends beyond simple system crashes, as it can lead to complete system instability when devices are probed or initialized. The affected hardware includes Digi Neo PCIe 8 port cards, indicating that any system running with JSM driver support and compatible PCIe serial hardware is at risk. This vulnerability could be exploited by malicious actors to cause denial of service conditions, potentially leading to complete system crashes or forced reboots. The fact that the crash occurs during udev worker execution suggests that automated device detection and enumeration processes could be compromised, potentially affecting system boot processes and device management functionality. The vulnerability's location within the kernel's serial subsystem means it could impact communication with critical system devices, including modems, serial terminals, and embedded communication hardware.

Mitigation strategies for this vulnerability require immediate kernel updates to patch the null pointer dereference issue within the jsm driver module. System administrators should prioritize applying the latest kernel security patches that address this specific flaw, particularly those that include proper device initialization validation before function calls. The patch should ensure that jsm_uart_port_init properly sets up device references before calling serial_base_ctrl_add, implementing proper null checks and initialization routines. Additionally, implementing runtime monitoring for kernel oops conditions and system stability alerts can help detect exploitation attempts. Organizations should also consider temporarily disabling JSM driver functionality for affected systems until proper patches are applied, especially in critical environments where system availability is paramount. The vulnerability's classification as a kernel-level null pointer dereference makes it particularly dangerous in production environments where automated device discovery processes are common, requiring comprehensive testing of patch deployments to ensure system stability before full implementation.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/10/2025

Moderation

accepted

CPE

ready

EPSS

0.00155

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!