Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-38581

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
19/08/2025
Last modified:
09/01/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ccp - Fix crash when rebind ccp device for ccp.ko<br /> <br /> When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding<br /> the ccp device causes the following crash:<br /> <br /> $ echo &amp;#39;0000:0a:00.2&amp;#39; &gt; /sys/bus/pci/drivers/ccp/unbind<br /> $ echo &amp;#39;0000:0a:00.2&amp;#39; &gt; /sys/bus/pci/drivers/ccp/bind<br /> <br /> [ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098<br /> [ 204.978026] #PF: supervisor write access in kernel mode<br /> [ 204.979126] #PF: error_code(0x0002) - not-present page<br /> [ 204.980226] PGD 0 P4D 0<br /> [ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI<br /> ...<br /> [ 204.997852] Call Trace:<br /> [ 204.999074] <br /> [ 205.000297] start_creating+0x9f/0x1c0<br /> [ 205.001533] debugfs_create_dir+0x1f/0x170<br /> [ 205.002769] ? srso_return_thunk+0x5/0x5f<br /> [ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp]<br /> [ 205.005241] ccp5_init+0x8b2/0x960 [ccp]<br /> [ 205.006469] ccp_dev_init+0xd4/0x150 [ccp]<br /> [ 205.007709] sp_init+0x5f/0x80 [ccp]<br /> [ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp]<br /> [ 205.010165] ? srso_return_thunk+0x5/0x5f<br /> [ 205.011376] local_pci_probe+0x4f/0xb0<br /> [ 205.012584] pci_device_probe+0xdb/0x230<br /> [ 205.013810] really_probe+0xed/0x380<br /> [ 205.015024] __driver_probe_device+0x7e/0x160<br /> [ 205.016240] device_driver_attach+0x2f/0x60<br /> [ 205.017457] bind_store+0x7c/0xb0<br /> [ 205.018663] drv_attr_store+0x28/0x40<br /> [ 205.019868] sysfs_kf_write+0x5f/0x70<br /> [ 205.021065] kernfs_fop_write_iter+0x145/0x1d0<br /> [ 205.022267] vfs_write+0x308/0x440<br /> [ 205.023453] ksys_write+0x6d/0xe0<br /> [ 205.024616] __x64_sys_write+0x1e/0x30<br /> [ 205.025778] x64_sys_call+0x16ba/0x2150<br /> [ 205.026942] do_syscall_64+0x56/0x1e0<br /> [ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 205.029276] RIP: 0033:0x7fbc36f10104<br /> [ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5<br /> <br /> This patch sets ccp_debugfs_dir to NULL after destroying it in<br /> ccp5_debugfs_destroy, allowing the directory dentry to be<br /> recreated when rebinding the ccp device.<br /> <br /> Tested on AMD Ryzen 7 1700X.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.13 (including) 5.4.297 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.241 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.190 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.148 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.102 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.42 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.15.10 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.16 (including) 6.16.1 (excluding)
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools