How the Vulnerability Works
The CVE-2025-22006 vulnerability in the Linux kernel’s TI AM65-CPSW Ethernet driver occurs due to incorrect sequencing of NAPI (New API) registration and interrupt handling. When the driver registers interrupts for TX/RX DMA channels before initializing their corresponding NAPI contexts, a race condition can occur. During high network traffic, the interrupt handler may trigger before NAPI structures are ready, leading to a NULL pointer dereference. This manifests as random kernel crashes since it depends on traffic timing. The flaw exists in the am65_cpsw_nuss_probe() function where interrupt request (request_irq()) is called prior to netif_napi_add().
DailyCVE Form:
Platform: Linux Kernel
Version: v5.10-v6.6
Vulnerability: Race Condition
Severity: Critical
Date: 04/10/2025
What Undercode Say:
Exploitation:
Crash trigger (requires packet flood) hping3 -S --flood -p 80 <target_ip> Kernel panic observed via dmesg dmesg | grep "Unable to handle kernel NULL pointer"
Protection:
// Patch verification git show c5d2b6fa3a8e | grep am65_cpsw_nuss // Check loaded module lsmod | grep am65_cpsw
Mitigation Commands:
Temporary workaround echo 0 > /proc/irq/<irq_num>/smp_affinity Kernel module blacklist echo "blacklist am65_cpsw_nuss" > /etc/modprobe.d/disable_cpsw.conf
Debugging:
// Kernel tracepoint trace_event_irq_handler_entry() trace_event_irq_handler_exit()
Patch Analysis:
- ret = request_irq(irq, am65_cpsw_nuss_rx_irq, 0, dev_name(dev), priv); + netif_napi_add(ndev, &priv->napi_rx, am65_cpsw_nuss_rx_poll, 64); + ret = request_irq(irq, am65_cpsw_nuss_rx_irq, 0, dev_name(dev), priv);
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-22006
Extra Source Hub:
Undercode
