CVE-2025-39699 in Linux
Summary
by MITRE • 09/05/2025
In the Linux kernel, the following vulnerability has been resolved:
iommu/riscv: prevent NULL deref in iova_to_phys
The riscv_iommu_pte_fetch() function returns either NULL for unmapped/never-mapped iova, or a valid leaf pte pointer that requires no further validation.
riscv_iommu_iova_to_phys() failed to handle NULL returns. Prevent null pointer dereference in riscv_iommu_iova_to_phys(), and remove the pte validation.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability identified as CVE-2025-39699 resides within the Linux kernel's IOMMU implementation specifically for RISC-V architectures. This issue manifests as a potential null pointer dereference that could compromise system stability and security. The problem occurs within the iommu/riscv subsystem where the kernel attempts to translate IO Virtual Addresses (IOVA) to physical addresses through the iova_to_phys functionality. The vulnerability represents a critical flaw in memory management operations that could be exploited to cause system crashes or potentially enable privilege escalation attacks.
The technical root cause lies in the riscv_iommu_iova_to_phys() function's failure to properly handle the return value from riscv_iommu_pte_fetch(). This helper function is designed to return either NULL for unmapped or never-mapped IOVA addresses, or a valid leaf page table entry (pte) pointer that requires no further validation. However, the iova_to_phys implementation does not adequately check for NULL returns, creating a scenario where a null pointer dereference can occur when processing IOVA translations. This pattern violates standard defensive programming practices and creates an exploitable condition in the kernel's memory management subsystem.
The operational impact of this vulnerability extends beyond simple system crashes, potentially affecting the entire system stability and security posture. When a null pointer dereference occurs in kernel space, it typically results in immediate system termination through a kernel oops or panic condition, effectively causing a denial of service. The vulnerability affects systems utilizing RISC-V architecture with IOMMU support, particularly those implementing virtualization or device assignment scenarios where IOVA translation is frequently performed. From a cybersecurity perspective, this vulnerability could be leveraged by malicious actors to perform persistent denial of service attacks against critical infrastructure, or potentially as part of a broader exploitation chain targeting kernel memory management.
The fix implemented addresses the core issue by preventing null pointer dereference in the riscv_iommu_iova_to_phys() function and eliminating unnecessary pte validation. This mitigation aligns with common security practices for kernel development and follows the principle of least privilege in memory management operations. The solution directly addresses the CWE-476 principle of null pointer dereference, which is categorized under the broader weakness of improper handling of null values in security-critical contexts. Additionally, this vulnerability demonstrates characteristics relevant to ATT&CK technique T1068, which involves exploiting local vulnerabilities to gain elevated privileges, though the immediate impact is more focused on system stability. The resolution ensures that the kernel's IOMMU implementation properly validates return values from helper functions before attempting to dereference pointers, thereby preventing the exploitable condition that could lead to system instability or potential privilege escalation in affected RISC-V environments.