The CVE-2025-22067 vulnerability occurs in the Linux kernel’s SPI driver (cdns_mrvl_xspi_setup_clock() function). When the requested clock frequency exceeds 128 MHz, the function fails to break early during iteration over the `cdns_mrvl_xspi_clk_div_list` array, leading to an out-of-bounds read. This happens because the loop continues beyond the array’s last valid index, potentially causing undefined behavior or kernel instability. The fix ensures the loop terminates at the last entry, enforcing a minimum clock speed of 6.25 MHz to prevent exploitation.
DailyCVE Form
Platform: Linux Kernel
Version: Pre-patch versions
Vulnerability: Out-of-bounds read
Severity: Critical
Date: 05/06/2025
What Undercode Say:
Exploitation:
- Trigger high clock requests (>128 MHz) via SPI device configuration.
- Craft malicious SPI transactions to force kernel miscalculations.
- Exploit UBSAN-detected instability for DoS or privilege escalation.
Protection:
- Apply kernel patches from official sources.
- Restrict untrusted SPI device attachments.
- Monitor kernel logs for UBSAN warnings.
Analytics:
- Affects embedded systems using Cadence SPI controllers.
- CVSS 4.0: Base 8.6 (AV:L/AC:L/AT:N/PR:N/UI:N/S:C/C:H/I:H/A:H).
Commands:
Check kernel version: uname -r Patch update (Debian): sudo apt update && sudo apt upgrade linux-image-$(uname -r) Log monitoring: dmesg | grep "UBSAN"
Code Snippet (Fix Reference):
// Original vulnerable loop:
for (i = 0; i < CDNS_MRVL_XSPI_CLK_DIV_LIST_LEN; i++) {
if (req_clk >= cdns_mrvl_xspi_clk_div_list[bash].clk_rate)
break;
}
// Patched version enforces min 6.25 MHz:
if (req_clk > 128)
i = CDNS_MRVL_XSPI_CLK_DIV_LIST_LEN - 1;
Mitigation Script:
!/bin/sh Disable vulnerable SPI modules temporarily: sudo rmmod spi_cadence_mrvl_xspi
Impact:
- Kernel crashes (DoS) or memory corruption.
- Critical in IoT/embedded devices with SPI peripherals.
References:
- Kernel.org commit: fix-clk-div
- NVD: CVE-2025-22067
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
