Linux Kernel, NULL Pointer Dereference, CVE-2025-37860 (Critical)

By /

How CVE-2025-37860 Works

This vulnerability occurs in the Linux kernel’s sfc (Solarflare network driver) component. The issue stems from ef100_process_design_param() attempting to access net_dev (net_device structure) before its initialization during driver probe sequence. After commit 

, ef100_probe_main() and ef100_check_design_params() execute prior to net_dev creation. When these functions call netif_set_tso_max_size() or netif_set_tso_max_segs(), they dereference a NULL pointer (efx->net_dev), causing kernel panic. The flaw allows local attackers to trigger denial-of-service via specially crafted operations during device initialization.

<h2 style="color: blue;">DailyCVE Form</h2>

Platform: Linux Kernel
Version: 5.15 - 6.8
Vulnerability: NULL Pointer Dereference
Severity: Critical

<h2 style="color: blue;">date: 04/18/2025</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

<h2 style="color: blue;">Exploitation Analysis:</h2>

<ol>
<li>Requires local access to trigger during NIC initialization</li>
</ol>

<h2 style="color: blue;">2. Kernel panic leads to immediate system crash</h2>

<ol>
<li>No SMEP/SMAP bypass needed due to NULL deref</li>
</ol>

<h2 style="color: blue;">Protection Commands:</h2>

[bash]
Mitigation: Update kernel to patched version
sudo apt-get update && sudo apt-get install linux-image-$(uname -r)-updated
Temporary workaround: Blacklist sfc module
echo "blacklist sfc" | sudo tee /etc/modprobe.d/sfc_blacklist.conf
Verify vulnerable module loading
lsmod | grep sfc

Debugging Code:

// Crash analysis via dmesg
dmesg | grep -B10 -A10 "BUG: unable to handle kernel NULL pointer"
// Kernel backtrace example
[ 123.456789] BUG: kernel NULL pointer dereference at 0000000000000123
[ 123.456790] Call Trace:
[ 123.456791] <TASK>
[ 123.456792] ef100_process_design_param+0x123/0x456
[ 123.456793] ef100_check_design_params+0x78/0x90

Patch Analysis:

// Fixed code moves netif calls to ef100_probe_netdev()
- netif_set_tso_max_size(efx->net_dev, ...);
+ // Moved to later initialization stage
+ pci_err(efx->pci_dev, "Design param error");

Impact Metrics:

  • CVSS:4.0 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H (7.1 High)
  • Affected vendors: Solarflare, Xilinx, QLogic
  • Kernel subsystems: net/ethernet/sfc

Detection Script:

!/bin/sh
Checks for vulnerable sfc module versions
modinfo sfc | grep -q "version: 1.2.[0-3]" && echo "Vulnerable module loaded"

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top