CVE-2025-39887

EUVD-2025-30847
In the Linux kernel, the following vulnerability has been resolved:

tracing/osnoise: Fix null-ptr-deref in bitmap_parselist()

A crash was observed with the following output:

BUG: kernel NULL pointer dereference, address: 0000000000000010
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 2 UID: 0 PID: 92 Comm: osnoise_cpus Not tainted 6.17.0-rc4-00201-gd69eb204c255 #138 PREEMPT(voluntary)
RIP: 0010:bitmap_parselist+0x53/0x3e0
Call Trace:
 <TASK>
 osnoise_cpus_write+0x7a/0x190
 vfs_write+0xf8/0x410
 ? do_sys_openat2+0x88/0xd0
 ksys_write+0x60/0xd0
 do_syscall_64+0xa4/0x260
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 </TASK>

This issue can be reproduced by below code:

fd=open("/sys/kernel/debug/tracing/osnoise/cpus", O_WRONLY);
write(fd, "0-2", 0);

When user pass 'count=0' to osnoise_cpus_write(), kmalloc() will return
ZERO_SIZE_PTR (16) and cpulist_parse() treat it as a normal value, which
trigger the null pointer dereference. Add check for the parameter 'count'.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
6.16 ≤
𝑥
< 6.16.8
linuxlinux_kernel
6.17:rc1
linuxlinux_kernel
6.17:rc2
linuxlinux_kernel
6.17:rc3
linuxlinux_kernel
6.17:rc4
linuxlinux_kernel
6.17:rc5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.159-1
not-affected
bookworm (security)
6.1.162-1
fixed
bullseye
5.10.223-1
not-affected
bullseye (security)
5.10.249-1
fixed
forky
6.18.9-1
fixed
sid
6.18.12-1
fixed
trixie
6.12.63-1
not-affected
trixie (security)
6.12.73-1
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/c1628c00c4351dd0727ef7f670694f68d9e663d8
https://git.kernel.org/stable/c/e33228a2cc7ff706ca88533464e8a3b525b961ed