CVE-2025-22044 is a vulnerability identified in the Linux kernel's ACPI NFIT (NVDIMM Firmware Interface Table) subsystem, specifically within the acpi_nfit_ctl() function. The issue arises from improper validation and conversion of a user-supplied 64-bit value (call_pkg->nd_family) representing the NVDIMM bus family. Initially, the function checks if this value is non-zero, but then it converts it to a 32-bit integer before comparing it against a maximum allowed value (NVDIMM_BUS_FAMILY_MAX). This narrowing conversion can lead to a scenario where the original 64-bit value is non-zero, but its lower 32 bits are zero, causing the function to accept invalid input. The vulnerability is exacerbated by the fact that the function only emits a warning when encountering suspicious values instead of immediately rejecting them with an error code such as EINVAL. This insufficient validation could result in undefined behavior or potential security issues when the kernel processes malformed input related to NVDIMM bus families. The root cause is a narrowing conversion combined with incomplete input validation, which could be exploited by a local user or process capable of interacting with the ACPI NFIT interface. The patch involves ensuring all checks are performed on the original 64-bit value and returning an error immediately upon detecting invalid input, thereby preventing further processing of potentially malicious data. No known exploits are currently reported in the wild, and the vulnerability affects specific Linux kernel versions identified by commit hashes. No CVSS score has been assigned yet.

For European organizations, this vulnerability poses a moderate risk primarily to systems running affected Linux kernel versions with NVDIMM hardware and ACPI NFIT support enabled. The vulnerability could allow a local attacker or compromised process to cause undefined kernel behavior, potentially leading to system instability, crashes, or privilege escalation if exploited in conjunction with other vulnerabilities. Given the critical role of Linux in servers, cloud infrastructure, and embedded systems across Europe, exploitation could disrupt critical services, data centers, and industrial control systems relying on persistent memory technologies. However, the requirement for local access and the absence of known remote exploits limit the immediate widespread impact. Organizations in sectors with high reliance on Linux-based infrastructure, such as finance, telecommunications, and manufacturing, may face increased risk if attackers leverage this flaw to escalate privileges or disrupt operations. The vulnerability also underscores the importance of secure handling of hardware interfaces in kernel code, especially as NVDIMM adoption grows in enterprise environments.

European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2025-22044 as soon as they become available. Kernel updates should be tested and deployed promptly, especially on systems utilizing NVDIMM hardware. Additionally, organizations should audit and restrict local user permissions to minimize the risk of untrusted users or processes interacting with the ACPI NFIT interface. Employing kernel hardening techniques such as SELinux or AppArmor policies to limit access to kernel interfaces can reduce attack surface. Monitoring system logs for warnings related to acpi_nfit_ctl and unusual ACPI or NVDIMM activity can help detect attempted exploitation. For critical infrastructure, consider isolating systems with NVDIMM hardware or applying additional runtime protections to prevent unauthorized kernel interactions. Finally, maintain an inventory of hardware and kernel versions to ensure vulnerable systems are identified and remediated swiftly.