CVE-2025-39857

EUVD-2025-30343

19.09.2025, 16:15

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()

BUG: kernel NULL pointer dereference, address: 00000000000002ec
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G        OE       6.17.0-rc2+ #9 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Workqueue: smc_hs_wq smc_listen_work [smc]
RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc]
...
Call Trace:
 <TASK>
 smcr_buf_map_link+0x211/0x2a0 [smc]
 __smc_buf_create+0x522/0x970 [smc]
 smc_buf_create+0x3a/0x110 [smc]
 smc_find_rdma_v2_device_serv+0x18f/0x240 [smc]
 ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc]
 smc_listen_find_device+0x1dd/0x2b0 [smc]
 smc_listen_work+0x30f/0x580 [smc]
 process_one_work+0x18c/0x340
 worker_thread+0x242/0x360
 kthread+0xe7/0x220
 ret_from_fork+0x13a/0x160
 ret_from_fork_asm+0x1a/0x30
 </TASK>

If the software RoCE device is used, ibdev->dma_device is a null pointer.
As a result, the problem occurs. Null pointer detection is added to
prevent problems.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	6.0 ≤ 𝑥 < 6.1.151
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.105
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.46
linux	linux_kernel	6.13 ≤ 𝑥 < 6.16.6
linux	linux_kernel	6.17:rc1
linux	linux_kernel	6.17:rc2
linux	linux_kernel	6.17:rc3
linux	linux_kernel	6.17:rc4
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.159-1 fixed
bookworm (security)	6.1.162-1 fixed
bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.249-1 fixed
forky	6.18.9-1 fixed
sid	6.18.12-1 fixed
trixie	6.12.63-1 fixed
trixie (security)	6.12.73-1 fixed

linux-6.1

bullseye (security)

6.1.162-1~deb11u1

fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/0cdf1fd8fc59d44a48c694324611136910301ef9

https://git.kernel.org/stable/c/34f17cbe027050b8d5316ea1b6f9bd7c378e92de

https://git.kernel.org/stable/c/ba1e9421cf1a8369d25c3832439702a015d6b5f9

https://git.kernel.org/stable/c/eb929910bd4b4165920fa06a87b22cc6cae92e0e

https://git.kernel.org/stable/c/f18d9b3abf9c6587372cc702f963a7592277ed56

https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html