CVE-2025-71233 in Linux
Summary
by MITRE • 02/18/2026
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: Avoid creating sub-groups asynchronously
The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.
The crash can be easily reproduced with the following commands:
# cd /sys/kernel/config/pci_ep/functions/pci_epf_test # for i in {1..20}; do mkdir test && rmdir test; done
BUG: kernel NULL pointer dereference, address: 0000000000000088 ... Call Trace: configfs_register_group+0x3d/0x190 pci_epf_cfs_work+0x41/0x110 process_one_work+0x18f/0x350 worker_thread+0x25a/0x3a0
Fix this issue by using configfs_add_default_group() API which does not have the deadlock problem as configfs_register_group() and does not require the delayed work handler.
[mani: slightly reworded the description and added stable list]
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/19/2026
This vulnerability exists in the Linux kernel's PCI endpoint framework where the asynchronous creation of sub-groups through delayed work mechanisms introduces a critical race condition leading to NULL pointer dereference. The flaw occurs when the driver directory is removed before the delayed work completes, creating a scenario where the system attempts to access freed memory locations. The specific memory address 0x0000000000000088 indicates the kernel is attempting to dereference a null pointer at a critical offset within the configfs subsystem structure. This vulnerability manifests through the configfs_register_group function which is called from the pci_epf_cfs_work handler, creating a dangerous dependency chain where cleanup operations occur before asynchronous work completion. The issue is particularly concerning as it represents a classic race condition pattern that can be exploited to cause system crashes and potential denial of service conditions.
The technical implementation flaw stems from improper synchronization between directory removal operations and asynchronous work processing within the PCI endpoint function framework. When multiple rapid directory creation and removal operations occur in sequence, as demonstrated by the test command loop, the system fails to properly coordinate the lifecycle of configfs groups. The problematic code path involves the process_one_work function calling worker_thread which executes pci_epf_cfs_work, ultimately leading to configfs_register_group attempting to access a structure that has already been freed during the directory removal process. This represents a classic deadlock scenario where the asynchronous work handler cannot properly clean up resources due to the timing of the cleanup operation, creating a NULL pointer dereference condition that results in kernel panic.
The operational impact of this vulnerability extends beyond simple system crashes to potentially enable more sophisticated attack vectors within kernel space. An attacker could leverage this race condition to repeatedly trigger the NULL pointer dereference, causing system instability and potentially facilitating privilege escalation or persistent denial of service attacks. The vulnerability affects systems running Linux kernels that implement the PCI endpoint framework with configfs support, particularly those utilizing the pci_epf_test function driver. The issue demonstrates a failure in proper resource management and synchronization protocols within the kernel's device configuration subsystem, with implications for embedded systems and server environments that rely heavily on PCI endpoint functionality.
The recommended mitigation strategy involves replacing the problematic configfs_register_group API call with the safer configfs_add_default_group API which eliminates the asynchronous work handler requirement and avoids the deadlock scenario entirely. This fix addresses the root cause by removing the delayed work mechanism that creates the race condition, ensuring proper synchronization between directory operations and group creation. The solution aligns with established security practices for kernel development and follows the principle of least privilege by eliminating unnecessary asynchronous operations that can create security vulnerabilities. Organizations should prioritize applying this kernel patch to prevent exploitation and maintain system stability, particularly in environments where PCI endpoint functionality is actively used and where the vulnerability could be leveraged for persistent system disruption. This remediation approach also reduces the attack surface by eliminating the complex asynchronous processing that was introducing the race condition and potential NULL pointer dereference conditions.