Linux Kernel up to 6.16.4/6.17-rc3 ice reset ice_unplug_aux_dev null pointer dereference

Summaryinfo

A vulnerability was found in Linux Kernel up to 6.16.4/6.17-rc3. It has been classified as critical. This issue affects the function ice_unplug_aux_dev of the file /sys/class/net//device/reset of the component ice. This manipulation causes null pointer dereference. This vulnerability is tracked as CVE-2025-39814. No exploit exists. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability has been found in Linux Kernel up to 6.16.4/6.17-rc3 and classified as critical. Affected by this vulnerability is the function ice_unplug_aux_dev of the file /sys/class/net//device/reset of the component ice. The manipulation with an unknown input leads to a null pointer dereference vulnerability. The CWE definition for the vulnerability is CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. As an impact it is known to affect availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: ice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset Issuing a reset when the driver is loaded without RDMA support, will results in a crash as it attempts to remove RDMA's non-existent auxbus device: echo 1 > /sys/class/net/<if>/device/reset BUG: kernel NULL pointer dereference, address: 0000000000000008 ... RIP: 0010:ice_unplug_aux_dev+0x29/0x70 [ice] ... Call Trace: <TASK> ice_prepare_for_reset+0x77/0x260 [ice] pci_dev_save_and_disable+0x2c/0x70 pci_reset_function+0x88/0x130 reset_store+0x5a/0xa0 kernfs_fop_write_iter+0x15e/0x210 vfs_write+0x273/0x520 ksys_write+0x6b/0xe0 do_syscall_64+0x79/0x3b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ice_unplug_aux_dev() checks pf->cdev_info->adev for NULL pointer, but pf->cdev_info will also be NULL, leading to the deref in the trace above. Introduce a flag to be set when the creation of the auxbus device is successful, to avoid multiple NULL pointer checks in ice_unplug_aux_dev().

It is possible to read the advisory at git.kernel.org. This vulnerability is known as CVE-2025-39814 since 04/16/2025. The exploitation appears to be difficult. Technical details of the vulnerability are known, but there is no available exploit.

The vulnerability scanner Nessus provides a plugin with the ID 265303 (Linux Distros Unpatched Vulnerability : CVE-2025-39814), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.16.5 or 6.17-rc4 eliminates this vulnerability. Applying the patch db783756a7d7cfaea039411971d0dc0a374e85cb/60dfe2434eed13082f26eb7409665dfafb38fa51 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (265303) and CERT Bund (WID-SEC-2025-2077). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• IBM QRadar SIEM
• SUSE openSUSE
• Open Source Linux Kernel
• RESF Rocky Linux
• Dell Secure Connect Gateway

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.16.0
• 6.16.1
• 6.16.2
• 6.16.3
• 6.16.4
• 6.17-rc1
• 6.17-rc2
• 6.17-rc3

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion