CVE-2025-38581 in Linuxinfo

Summary

by MITRE • 08/19/2025

In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp - Fix crash when rebind ccp device for ccp.ko

When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding the ccp device causes the following crash:

$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind

[ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098
[ 204.978026] #PF: supervisor write access in kernel mode
[ 204.979126] #PF: error_code(0x0002) - not-present page
[ 204.980226] PGD 0 P4D 0
[ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI
... [ 204.997852] Call Trace:
[ 204.999074] <TASK>
[ 205.000297] start_creating+0x9f/0x1c0
[ 205.001533] debugfs_create_dir+0x1f/0x170
[ 205.002769] ? srso_return_thunk+0x5/0x5f
[ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp]
[ 205.005241] ccp5_init+0x8b2/0x960 [ccp]
[ 205.006469] ccp_dev_init+0xd4/0x150 [ccp]
[ 205.007709] sp_init+0x5f/0x80 [ccp]
[ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp]
[ 205.010165] ? srso_return_thunk+0x5/0x5f
[ 205.011376] local_pci_probe+0x4f/0xb0
[ 205.012584] pci_device_probe+0xdb/0x230
[ 205.013810] really_probe+0xed/0x380
[ 205.015024] __driver_probe_device+0x7e/0x160
[ 205.016240] device_driver_attach+0x2f/0x60
[ 205.017457] bind_store+0x7c/0xb0
[ 205.018663] drv_attr_store+0x28/0x40
[ 205.019868] sysfs_kf_write+0x5f/0x70
[ 205.021065] kernfs_fop_write_iter+0x145/0x1d0
[ 205.022267] vfs_write+0x308/0x440
[ 205.023453] ksys_write+0x6d/0xe0
[ 205.024616] __x64_sys_write+0x1e/0x30
[ 205.025778] x64_sys_call+0x16ba/0x2150
[ 205.026942] do_syscall_64+0x56/0x1e0
[ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 205.029276] RIP: 0033:0x7fbc36f10104
[ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5

This patch sets ccp_debugfs_dir to NULL after destroying it in ccp5_debugfs_destroy, allowing the directory dentry to be recreated when rebinding the ccp device.

Tested on AMD Ryzen 7 1700X.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/09/2026

The vulnerability CVE-2025-38581 affects the Linux kernel's Crypto Control Processor (CCP) driver component, specifically when the CONFIG_CRYPTO_DEV_CCP_DEBUGFS configuration option is enabled. This flaw manifests as a kernel NULL pointer dereference during device rebinding operations, which can lead to system crashes and potential denial of service conditions. The issue occurs within the cryptographic subsystem where the CCP driver manages hardware acceleration for cryptographic operations typically found in AMD processors. The vulnerability is particularly concerning because it affects the kernel's device management functionality during runtime, when devices are dynamically bound and unbound from drivers.

The technical root cause lies in improper handling of debugfs directory structures within the ccp5_debugfs_setup function. When a CCP device is unbound and subsequently rebound, the debugfs directory created during initialization is destroyed but the ccp_debugfs_dir pointer is not properly reset to NULL. This creates a scenario where the system attempts to access a freed memory location when trying to recreate the debugfs directory structure. The crash occurs at address 0x0000000000000098 which represents a NULL pointer dereference in the kernel's memory management subsystem. The call trace shows the execution path leads through debugfs_create_dir, ccp5_debugfs_setup, and ultimately to the device initialization functions that handle PCI device probing and binding operations.

This vulnerability impacts system stability and availability by enabling an attacker to potentially crash the kernel through controlled device rebinding operations. The flaw aligns with CWE-476, which describes NULL pointer dereference conditions, and represents a classic case of improper resource management in kernel space. From an operational perspective, the vulnerability affects systems running Linux kernels with CCP cryptographic acceleration enabled, particularly those utilizing AMD Ryzen processors or other hardware that supports the CCP driver. The attack vector requires local access to the system and involves manipulating PCI device binding through sysfs interfaces, making it less accessible than remote exploits but still concerning for systems where device management operations are performed by untrusted users or processes.

The mitigation strategy involves applying the kernel patch that correctly sets ccp_debugfs_dir to NULL after destroying the debugfs directory in the ccp5_debugfs_destroy function. This ensures proper cleanup and prevents subsequent attempts to access freed memory structures during device reinitialization. System administrators should update their kernel versions to include this fix, particularly in production environments where device rebinding operations might occur. Organizations should also consider disabling CONFIG_CRYPTO_DEV_CCP_DEBUGFS if debugfs functionality is not required, as this would eliminate the vulnerability surface area entirely. The fix aligns with ATT&CK technique T1059.006 for kernel-level code injection and T1489 for system shutdown/reboot, as it addresses a condition that could be exploited to cause system instability through device management operations.

Responsible

Linux

Reservation

04/16/2025

Disclosure

08/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00159

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!