CVE-2025-22018: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: atm: Fix NULL pointer dereference When MPOA_cache_impos_rcvd() receives the msg, it can trigger Null Pointer Dereference Vulnerability if both entry and holding_time are NULL. Because there is only for the situation where entry is NULL and holding_time exists, it can be passed when both entry and holding_time are NULL. If these are NULL, the entry will be passd to eg_cache_put() as parameter and it is referenced by entry->use code in it. kasan log: [ 3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I [ 3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102 [ 3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 3.319298] RIP: 0010:eg_cache_remove_entry+0xa5/0x470 [ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80 [ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006 [ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e [ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030 [ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88 [ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15 [ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068 [ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000 [ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0 [ 3.326430] Call Trace: [ 3.326725] <TASK> [ 3.326927] ? die_addr+0x3c/0xa0 [ 3.327330] ? exc_general_protection+0x161/0x2a0 [ 3.327662] ? asm_exc_general_protection+0x26/0x30 [ 3.328214] ? vprintk_emit+0x15e/0x420 [ 3.328543] ? eg_cache_remove_entry+0xa5/0x470 [ 3.328910] ? eg_cache_remove_entry+0x9a/0x470 [ 3.329294] ? __pfx_eg_cache_remove_entry+0x10/0x10 [ 3.329664] ? console_unlock+0x107/0x1d0 [ 3.329946] ? __pfx_console_unlock+0x10/0x10 [ 3.330283] ? do_syscall_64+0xa6/0x1a0 [ 3.330584] ? entry_SYSCALL_64_after_hwframe+0x47/0x7f [ 3.331090] ? __pfx_prb_read_valid+0x10/0x10 [ 3.331395] ? down_trylock+0x52/0x80 [ 3.331703] ? vprintk_emit+0x15e/0x420 [ 3.331986] ? __pfx_vprintk_emit+0x10/0x10 [ 3.332279] ? down_trylock+0x52/0x80 [ 3.332527] ? _printk+0xbf/0x100 [ 3.332762] ? __pfx__printk+0x10/0x10 [ 3.333007] ? _raw_write_lock_irq+0x81/0xe0 [ 3.333284] ? __pfx__raw_write_lock_irq+0x10/0x10 [ 3.333614] msg_from_mpoad+0x1185/0x2750 [ 3.333893] ? __build_skb_around+0x27b/0x3a0 [ 3.334183] ? __pfx_msg_from_mpoad+0x10/0x10 [ 3.334501] ? __alloc_skb+0x1c0/0x310 [ 3.334809] ? __pfx___alloc_skb+0x10/0x10 [ 3.335283] ? _raw_spin_lock+0xe0/0xe0 [ 3.335632] ? finish_wait+0x8d/0x1e0 [ 3.335975] vcc_sendmsg+0x684/0xba0 [ 3.336250] ? __pfx_vcc_sendmsg+0x10/0x10 [ 3.336587] ? __pfx_autoremove_wake_function+0x10/0x10 [ 3.337056] ? fdget+0x176/0x3e0 [ 3.337348] __sys_sendto+0x4a2/0x510 [ 3.337663] ? __pfx___sys_sendto+0x10/0x10 [ 3.337969] ? ioctl_has_perm.constprop.0.isra.0+0x284/0x400 [ 3.338364] ? sock_ioctl+0x1bb/0x5a0 [ 3.338653] ? __rseq_handle_notify_resume+0x825/0xd20 [ 3.339017] ? __pfx_sock_ioctl+0x10/0x10 [ 3.339316] ? __pfx___rseq_handle_notify_resume+0x10/0x10 [ 3.339727] ? selinux_file_ioctl+0xa4/0x260 [ 3.340166] __x64_sys_sendto+0xe0/0x1c0 [ 3.340526] ? syscall_exit_to_user_mode+0x123/0x140 [ 3.340898] do_syscall_64+0xa6/0x1a0 [ 3.341170] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 3.341533] RIP: 0033:0x44a380 [ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00 [ ---truncated---
AI Analysis
Technical Summary
CVE-2025-22018 is a vulnerability identified in the Linux kernel, specifically within the ATM (Asynchronous Transfer Mode) networking subsystem. The flaw arises in the function MPOA_cache_impos_rcvd(), which processes certain messages related to MPOA (Multi-Protocol Over ATM) cache entries. The vulnerability is a NULL pointer dereference triggered when both the 'entry' and 'holding_time' pointers are NULL. The existing code logic only checks for the case where 'entry' is NULL and 'holding_time' exists, but it fails to handle the scenario where both are NULL. Consequently, a NULL 'entry' pointer is passed to the function eg_cache_put(), which then dereferences it, leading to a kernel crash or general protection fault. The kernel address sanitizer (KASAN) logs confirm the NULL pointer dereference, showing a general protection fault and a crash in eg_cache_remove_entry(). This vulnerability can cause a denial of service (DoS) by crashing the kernel or triggering a system panic. The issue affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and presumably other versions in the same branch. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability requires crafted ATM messages to trigger the NULL pointer dereference, which implies that exploitation might require network access to ATM services or local privileges to send such messages. The vulnerability is technical and low-level, affecting kernel stability and availability rather than confidentiality or integrity directly.
Potential Impact
For European organizations, the impact of CVE-2025-22018 primarily concerns system availability and reliability. Organizations running Linux systems with ATM networking enabled, particularly in telecommunications, legacy infrastructure, or specialized industrial environments, could experience kernel crashes leading to denial of service. This could disrupt critical services, especially in sectors relying on ATM for network transport, such as telecom providers, financial institutions, or industrial control systems. While the vulnerability does not directly expose data or allow privilege escalation, repeated crashes could degrade service quality and availability, impacting business operations and potentially causing financial losses. The risk is higher in environments where ATM is actively used or where the kernel version is unpatched. Since ATM is less common in modern enterprise networks, the overall impact may be limited to niche sectors or legacy systems. However, given the Linux kernel's widespread use across Europe, any unpatched systems with ATM enabled remain vulnerable to stability issues.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Identify and inventory Linux systems running kernels with the affected commit or versions, focusing on those with ATM networking enabled. 2) Apply the official Linux kernel patches or upgrade to a fixed kernel version as soon as they become available from trusted Linux distributions or kernel maintainers. 3) If patching is not immediately possible, consider disabling ATM networking modules or services to prevent triggering the vulnerable code path. 4) Implement monitoring for kernel crashes and system panics related to ATM subsystems to detect potential exploitation attempts or instability. 5) Restrict network access to ATM services, limiting exposure to untrusted networks or users who could send crafted messages. 6) For critical infrastructure, conduct thorough testing of kernel updates in staging environments to ensure stability before deployment. 7) Maintain up-to-date backups and incident response plans to recover quickly from potential denial of service events caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Finland, Poland, Belgium
CVE-2025-22018: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: atm: Fix NULL pointer dereference When MPOA_cache_impos_rcvd() receives the msg, it can trigger Null Pointer Dereference Vulnerability if both entry and holding_time are NULL. Because there is only for the situation where entry is NULL and holding_time exists, it can be passed when both entry and holding_time are NULL. If these are NULL, the entry will be passd to eg_cache_put() as parameter and it is referenced by entry->use code in it. kasan log: [ 3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I [ 3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102 [ 3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 3.319298] RIP: 0010:eg_cache_remove_entry+0xa5/0x470 [ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80 [ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006 [ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e [ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030 [ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88 [ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15 [ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068 [ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000 [ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0 [ 3.326430] Call Trace: [ 3.326725] <TASK> [ 3.326927] ? die_addr+0x3c/0xa0 [ 3.327330] ? exc_general_protection+0x161/0x2a0 [ 3.327662] ? asm_exc_general_protection+0x26/0x30 [ 3.328214] ? vprintk_emit+0x15e/0x420 [ 3.328543] ? eg_cache_remove_entry+0xa5/0x470 [ 3.328910] ? eg_cache_remove_entry+0x9a/0x470 [ 3.329294] ? __pfx_eg_cache_remove_entry+0x10/0x10 [ 3.329664] ? console_unlock+0x107/0x1d0 [ 3.329946] ? __pfx_console_unlock+0x10/0x10 [ 3.330283] ? do_syscall_64+0xa6/0x1a0 [ 3.330584] ? entry_SYSCALL_64_after_hwframe+0x47/0x7f [ 3.331090] ? __pfx_prb_read_valid+0x10/0x10 [ 3.331395] ? down_trylock+0x52/0x80 [ 3.331703] ? vprintk_emit+0x15e/0x420 [ 3.331986] ? __pfx_vprintk_emit+0x10/0x10 [ 3.332279] ? down_trylock+0x52/0x80 [ 3.332527] ? _printk+0xbf/0x100 [ 3.332762] ? __pfx__printk+0x10/0x10 [ 3.333007] ? _raw_write_lock_irq+0x81/0xe0 [ 3.333284] ? __pfx__raw_write_lock_irq+0x10/0x10 [ 3.333614] msg_from_mpoad+0x1185/0x2750 [ 3.333893] ? __build_skb_around+0x27b/0x3a0 [ 3.334183] ? __pfx_msg_from_mpoad+0x10/0x10 [ 3.334501] ? __alloc_skb+0x1c0/0x310 [ 3.334809] ? __pfx___alloc_skb+0x10/0x10 [ 3.335283] ? _raw_spin_lock+0xe0/0xe0 [ 3.335632] ? finish_wait+0x8d/0x1e0 [ 3.335975] vcc_sendmsg+0x684/0xba0 [ 3.336250] ? __pfx_vcc_sendmsg+0x10/0x10 [ 3.336587] ? __pfx_autoremove_wake_function+0x10/0x10 [ 3.337056] ? fdget+0x176/0x3e0 [ 3.337348] __sys_sendto+0x4a2/0x510 [ 3.337663] ? __pfx___sys_sendto+0x10/0x10 [ 3.337969] ? ioctl_has_perm.constprop.0.isra.0+0x284/0x400 [ 3.338364] ? sock_ioctl+0x1bb/0x5a0 [ 3.338653] ? __rseq_handle_notify_resume+0x825/0xd20 [ 3.339017] ? __pfx_sock_ioctl+0x10/0x10 [ 3.339316] ? __pfx___rseq_handle_notify_resume+0x10/0x10 [ 3.339727] ? selinux_file_ioctl+0xa4/0x260 [ 3.340166] __x64_sys_sendto+0xe0/0x1c0 [ 3.340526] ? syscall_exit_to_user_mode+0x123/0x140 [ 3.340898] do_syscall_64+0xa6/0x1a0 [ 3.341170] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 3.341533] RIP: 0033:0x44a380 [ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00 [ ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-22018 is a vulnerability identified in the Linux kernel, specifically within the ATM (Asynchronous Transfer Mode) networking subsystem. The flaw arises in the function MPOA_cache_impos_rcvd(), which processes certain messages related to MPOA (Multi-Protocol Over ATM) cache entries. The vulnerability is a NULL pointer dereference triggered when both the 'entry' and 'holding_time' pointers are NULL. The existing code logic only checks for the case where 'entry' is NULL and 'holding_time' exists, but it fails to handle the scenario where both are NULL. Consequently, a NULL 'entry' pointer is passed to the function eg_cache_put(), which then dereferences it, leading to a kernel crash or general protection fault. The kernel address sanitizer (KASAN) logs confirm the NULL pointer dereference, showing a general protection fault and a crash in eg_cache_remove_entry(). This vulnerability can cause a denial of service (DoS) by crashing the kernel or triggering a system panic. The issue affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and presumably other versions in the same branch. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability requires crafted ATM messages to trigger the NULL pointer dereference, which implies that exploitation might require network access to ATM services or local privileges to send such messages. The vulnerability is technical and low-level, affecting kernel stability and availability rather than confidentiality or integrity directly.
Potential Impact
For European organizations, the impact of CVE-2025-22018 primarily concerns system availability and reliability. Organizations running Linux systems with ATM networking enabled, particularly in telecommunications, legacy infrastructure, or specialized industrial environments, could experience kernel crashes leading to denial of service. This could disrupt critical services, especially in sectors relying on ATM for network transport, such as telecom providers, financial institutions, or industrial control systems. While the vulnerability does not directly expose data or allow privilege escalation, repeated crashes could degrade service quality and availability, impacting business operations and potentially causing financial losses. The risk is higher in environments where ATM is actively used or where the kernel version is unpatched. Since ATM is less common in modern enterprise networks, the overall impact may be limited to niche sectors or legacy systems. However, given the Linux kernel's widespread use across Europe, any unpatched systems with ATM enabled remain vulnerable to stability issues.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Identify and inventory Linux systems running kernels with the affected commit or versions, focusing on those with ATM networking enabled. 2) Apply the official Linux kernel patches or upgrade to a fixed kernel version as soon as they become available from trusted Linux distributions or kernel maintainers. 3) If patching is not immediately possible, consider disabling ATM networking modules or services to prevent triggering the vulnerable code path. 4) Implement monitoring for kernel crashes and system panics related to ATM subsystems to detect potential exploitation attempts or instability. 5) Restrict network access to ATM services, limiting exposure to untrusted networks or users who could send crafted messages. 6) For critical infrastructure, conduct thorough testing of kernel updates in staging environments to ensure stability before deployment. 7) Maintain up-to-date backups and incident response plans to recover quickly from potential denial of service events caused by this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.806Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7e7a
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 7:44:23 PM
Last updated: 7/26/2025, 5:58:10 PM
Views: 9
Related Threats
CVE-2025-49559: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) in Adobe Adobe Commerce
MediumCVE-2025-49558: Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) in Adobe Adobe Commerce
MediumCVE-2025-49557: Cross-site Scripting (Stored XSS) (CWE-79) in Adobe Adobe Commerce
HighCVE-2025-49556: Incorrect Authorization (CWE-863) in Adobe Adobe Commerce
HighCVE-2025-49555: Cross-Site Request Forgery (CSRF) (CWE-352) in Adobe Adobe Commerce
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.