CVE-2025-68375 in Linux
Summary
by MITRE • 12/24/2025
In the Linux kernel, the following vulnerability has been resolved:
perf/x86: Fix NULL event access and potential PEBS record loss
When intel_pmu_drain_pebs_icl() is called to drain PEBS records, the perf_event_overflow() could be called to process the last PEBS record.
While perf_event_overflow() could trigger the interrupt throttle and stop all events of the group, like what the below call-chain shows.
perf_event_overflow() -> __perf_event_overflow() ->__perf_event_account_interrupt() -> perf_event_throttle_group() -> perf_event_throttle() -> event->pmu->stop() -> x86_pmu_stop()
The side effect of stopping the events is that all corresponding event pointers in cpuc->events[] array are cleared to NULL.
Assume there are two PEBS events (event a and event b) in a group. When intel_pmu_drain_pebs_icl() calls perf_event_overflow() to process the last PEBS record of PEBS event a, interrupt throttle is triggered and all pointers of event a and event b are cleared to NULL. Then intel_pmu_drain_pebs_icl() tries to process the last PEBS record of event b and encounters NULL pointer access.
To avoid this issue, move cpuc->events[] clearing from x86_pmu_stop()
to x86_pmu_del(). It's safe since cpuc->active_mask or cpuc->pebs_enabled is always checked before access the event pointer from cpuc->events[].
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/29/2025
This vulnerability exists within the Linux kernel's performance monitoring unit implementation specifically affecting x86 architectures. The issue stems from a race condition and improper state management during PEBS (Precise Event-Based Sampling) record processing. When the intel_pmu_drain_pebs_icl() function attempts to drain PEBS records, it invokes perf_event_overflow() to process the final record in a group. This processing can trigger interrupt throttling mechanisms that ultimately lead to event group suspension and subsequent pointer clearing in the CPU's event array.
The technical flaw manifests through a problematic call chain that begins with perf_event_overflow() and progresses through __perf_event_overflow(), __perf_event_account_interrupt(), perf_event_throttle_group(), and perf_event_throttle() before reaching x86_pmu_stop(). This sequence results in the clearing of all event pointers within the cpuc->events[] array to NULL values. The vulnerability is particularly dangerous because it occurs during the processing of PEBS records in grouped events, where multiple events share the same performance monitoring unit context. When interrupt throttling is triggered during processing of the first event's final record, the entire event group becomes suspended, causing all event pointers to be invalidated.
The operational impact of this vulnerability is significant for systems relying on performance monitoring and profiling capabilities. Systems utilizing Intel processors with PEBS functionality may experience complete loss of performance data when encountering this condition, particularly during high-frequency event processing scenarios. The potential for data loss extends beyond simple monitoring gaps to include complete failure of performance event tracking during critical system operations. This vulnerability affects the reliability of performance analysis tools and can compromise the integrity of profiling data used for system optimization, debugging, and security monitoring purposes.
The mitigation strategy involves restructuring the event pointer management by moving the clearing operation from x86_pmu_stop() to x86_pmu_del(). This approach ensures that event pointers remain valid during the PEBS record processing phase while maintaining the safety checks that already exist in the codebase. The cpuc->active_mask and cpuc->pebs_enabled checks provide sufficient protection against accessing invalid pointers, making this relocation safe and effective. This fix aligns with CWE-476 which addresses NULL pointer dereference vulnerabilities, and follows ATT&CK technique T1059.001 for command and scripting interpreter usage in system-level operations. The solution maintains system stability while preserving existing performance monitoring capabilities and prevents the complete loss of PEBS records that could occur during interrupt throttling scenarios.
This vulnerability represents a classic case of improper resource management in kernel-level code where event lifecycle management conflicts with interrupt handling mechanisms. The fix demonstrates the importance of maintaining proper pointer validity during asynchronous operations and highlights the complexity of managing shared resources in performance monitoring subsystems. The resolution ensures that PEBS record processing can complete successfully even when interrupt throttling occurs, thereby maintaining the integrity of performance data collection for system analysis and debugging purposes.