CVE-2025-38689 in Linux
Summary
by MITRE • 09/04/2025
In the Linux kernel, the following vulnerability has been resolved:
x86/fpu: Fix NULL dereference in avx512_status()
Problem ------- With CONFIG_X86_DEBUG_FPU enabled, reading /proc/[kthread]/arch_status
causes a warning and a NULL pointer dereference.
This is because the AVX-512 timestamp code uses x86_task_fpu() but doesn't check it for NULL. CONFIG_X86_DEBUG_FPU addles that function for kernel threads (PF_KTHREAD specifically), making it return NULL.
The point of the warning was to ensure that kernel threads only access task->fpu after going through kernel_fpu_begin()/_end(). Note: all kernel tasks exposed in /proc have a valid task->fpu.
Solution -------- One option is to silence the warning and check for NULL from x86_task_fpu(). However, that warning is fairly fresh and seems like a defense against misuse of the FPU state in kernel threads.
Instead, stop outputting AVX-512_elapsed_ms for kernel threads altogether. The data was garbage anyway because avx512_timestamp is only updated for user threads, not kernel threads.
If anyone ever wants to track kernel thread AVX-512 use, they can come back later and do it properly, separate from this bug fix.
[ dhansen: mostly rewrite changelog ]
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/10/2026
The vulnerability CVE-2025-38689 represents a critical NULL pointer dereference issue within the Linux kernel's x86 floating point unit (FPU) subsystem, specifically affecting the avx512_status() function. This flaw manifests when the CONFIG_X86_DEBUG_FPU kernel configuration option is enabled, creating a condition where reading the /proc/[kthread]/arch_status file triggers a kernel warning followed by a NULL pointer dereference. The root cause stems from the AVX-512 timestamp code utilizing the x86_task_fpu() function without implementing proper NULL pointer validation, a vulnerability that becomes particularly problematic when dealing with kernel threads identified by the PF_KTHREAD flag.
The technical implementation of this vulnerability involves the interaction between kernel thread identification and FPU state management within the Linux kernel's task structure. When kernel threads are processed through the arch_status interface, the x86_task_fpu() function returns NULL for these specific thread types due to the PF_KTHREAD flag, creating an undefined behavior scenario. The warning mechanism was originally designed to enforce proper FPU state access protocols, ensuring that kernel threads only manipulate task->fpu after executing kernel_fpu_begin() and kernel_fpu_end() functions. However, the current implementation fails to account for the specific case where kernel threads lack valid FPU state structures, leading to the NULL dereference condition.
The operational impact of this vulnerability extends beyond simple kernel panics, potentially affecting system stability and availability in environments where kernel debugging features are enabled. Attackers could exploit this condition to cause system crashes or denial of service scenarios, particularly in systems where kernel thread monitoring is active. The vulnerability affects systems with CONFIG_X86_DEBUG_FPU enabled, which is commonly found in development and debugging environments, though production systems may also be at risk if this configuration is inadvertently enabled. The flaw demonstrates poor defensive programming practices and highlights the importance of proper input validation in kernel space operations.
The fix implemented addresses the vulnerability by eliminating the output of AVX-512 elapsed time measurements for kernel threads entirely, recognizing that this data would have been invalid anyway since avx512_timestamp is only updated for user-space threads. This approach aligns with the principle of least privilege and proper resource management, preventing the exposure of meaningless data while avoiding the complexity of proper kernel thread FPU state tracking. The solution reflects a defensive programming strategy that prioritizes system stability over potentially misleading information, with the understanding that future implementations could properly address kernel thread AVX-512 usage tracking through separate mechanisms. This vulnerability resolution demonstrates the importance of considering edge cases in kernel development and the necessity of comprehensive testing across different thread types and kernel configurations.
This vulnerability maps directly to CWE-476 which describes NULL pointer dereference conditions in software systems, and relates to ATT&CK technique T1059.003 for kernel-level command execution and system manipulation. The fix implementation follows security best practices by implementing proper NULL checking and avoiding the exposure of invalid data rather than attempting to work around the underlying issue. The solution maintains system integrity while acknowledging that the original warning mechanism served a legitimate purpose in preventing improper FPU state access patterns. This represents a classic case of defensive programming where the approach chosen prioritizes system stability and correctness over attempting to preserve potentially broken functionality.