Linux Kernel, NULL Pointer Dereference, CVE-2025-22002 (Critical)

By /

Listen to this Post

How the Vulnerability Works

This vulnerability occurs in the Linux kernel’s netfs subsystem when handling cache operations. The issue arises when filesystems like NFS or Ceph (which don’t implement invalidate_cache) encounter write failures to cache (NETFS_WRITE_TO_CACHE). The kernel attempts to call the non-existent `invalidate_cache` method, leading to a NULL pointer dereference. This triggers a kernel panic with supervisor instruction fetch error, crashing the system. The vulnerability manifests in the `netfs_write_collection_worker` function when processing cached writes, where missing NULL check before calling `invalidate_cache` causes uncontrolled system crash.

DailyCVE Form:

Platform: Linux Kernel
Version: Up to 6.13.3
Vulnerability: NULL Pointer Dereference
Severity: Critical
Date: 04/10/2025

What Undercode Say:

Exploitation Analysis:

1. Crash system via malformed cache operations

2. Trigger through filesystem operations on NFS/Ceph

3. Exploit requires write access to affected filesystems

Protection Commands:

Check kernel version
uname -r
Patch verification
grep 'netfs_write_collection_worker' /proc/kallsyms
Temporary mitigation
echo 0 > /proc/sys/net/netfs/cache_enabled

Vulnerable Code Pattern:

if (test_bit(NETFS_WRITE_TO_CACHE, &subreq->flags) &&
!test_bit(NETFS_SREQ_WRITE_TO_CACHE, &subreq->flags)) {
netfs_invalidate_cache(subreq); // Missing NULL check
}

Patched Code Example:

if (subreq->netfs_ops->invalidate_cache &&
test_bit(NETFS_WRITE_TO_CACHE, &subreq->flags) &&
!test_bit(NETFS_SREQ_WRITE_TO_CACHE, &subreq->flags)) {
subreq->netfs_ops->invalidate_cache(subreq);
}

Detection Script:

import os
def check_vulnerable():
kernel_ver = os.uname().release.split('.')
major, minor = int(kernel_ver[bash]), int(kernel_ver[bash])
return (major == 6 and minor <= 13) or (major < 6)

Mitigation Steps:

1. Update to patched kernel version

2. Disable affected filesystems if unused

3. Implement kernel module signing

4. Restrict filesystem mounting privileges

Debugging Commands:

Check for crash logs
dmesg | grep 'netfs_write_collection_worker'
Monitor filesystem operations
strace -f -e trace=file -p <pid>
Kernel debugging
crash /usr/lib/debug/boot/vmlinux-$(uname -r) /var/crash/dumpfile

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-22002
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top