Linux Kernel, NULL Pointer Dereference, CVE-2025-22002 (Critical)

By /

How the Vulnerability Works

This vulnerability occurs in the Linux kernel’s netfs subsystem when handling cache operations. The issue arises when filesystems like NFS or Ceph (which don’t implement invalidate_cache) encounter write failures to cache (NETFS_WRITE_TO_CACHE). The kernel attempts to call the non-existent `invalidate_cache` method, leading to a NULL pointer dereference. This triggers a kernel panic with supervisor instruction fetch error, crashing the system. The vulnerability manifests in the `netfs_write_collection_worker` function when processing cached writes, where missing NULL check before calling `invalidate_cache` causes uncontrolled system crash.

DailyCVE Form:

Platform: Linux Kernel
Version: Up to 6.13.3
Vulnerability: NULL Pointer Dereference
Severity: Critical
Date: 04/10/2025

What Undercode Say:

Exploitation Analysis:

1. Crash system via malformed cache operations

2. Trigger through filesystem operations on NFS/Ceph

3. Exploit requires write access to affected filesystems

Protection Commands:

Check kernel version
uname -r
Patch verification
grep 'netfs_write_collection_worker' /proc/kallsyms
Temporary mitigation
echo 0 > /proc/sys/net/netfs/cache_enabled

Vulnerable Code Pattern:

if (test_bit(NETFS_WRITE_TO_CACHE, &subreq->flags) &&
!test_bit(NETFS_SREQ_WRITE_TO_CACHE, &subreq->flags)) {
netfs_invalidate_cache(subreq); // Missing NULL check
}

Patched Code Example:

if (subreq->netfs_ops->invalidate_cache &&
test_bit(NETFS_WRITE_TO_CACHE, &subreq->flags) &&
!test_bit(NETFS_SREQ_WRITE_TO_CACHE, &subreq->flags)) {
subreq->netfs_ops->invalidate_cache(subreq);
}

Detection Script:

import os
def check_vulnerable():
kernel_ver = os.uname().release.split('.')
major, minor = int(kernel_ver[bash]), int(kernel_ver[bash])
return (major == 6 and minor <= 13) or (major < 6)

Mitigation Steps:

1. Update to patched kernel version

2. Disable affected filesystems if unused

3. Implement kernel module signing

4. Restrict filesystem mounting privileges

Debugging Commands:

Check for crash logs
dmesg | grep 'netfs_write_collection_worker'
Monitor filesystem operations
strace -f -e trace=file -p <pid>
Kernel debugging
crash /usr/lib/debug/boot/vmlinux-$(uname -r) /var/crash/dumpfile

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-22002
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top