CVE-2025-22089: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Don't expose hw_counters outside of init net namespace Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes") accidentally almost exposed hw counters to non-init net namespaces. It didn't expose them fully, as an attempt to read any of those counters leads to a crash like this one: [42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028 [42021.814463] #PF: supervisor read access in kernel mode [42021.819549] #PF: error_code(0x0000) - not-present page [42021.824636] PGD 0 P4D 0 [42021.827145] Oops: 0000 [#1] SMP PTI [42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX [42021.841697] Hardware name: XXX [42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core] [42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48 [42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287 [42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000 [42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0 [42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000 [42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530 [42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000 [42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000 [42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0 [42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [42021.949324] Call Trace: [42021.951756] <TASK> [42021.953842] [<ffffffff86c58674>] ? show_regs+0x64/0x70 [42021.959030] [<ffffffff86c58468>] ? __die+0x78/0xc0 [42021.963874] [<ffffffff86c9ef75>] ? page_fault_oops+0x2b5/0x3b0 [42021.969749] [<ffffffff87674b92>] ? exc_page_fault+0x1a2/0x3c0 [42021.975549] [<ffffffff87801326>] ? asm_exc_page_fault+0x26/0x30 [42021.981517] [<ffffffffc0775680>] ? __pfx_show_hw_stats+0x10/0x10 [ib_core] [42021.988482] [<ffffffffc077564e>] ? hw_stat_device_show+0x1e/0x40 [ib_core] [42021.995438] [<ffffffff86ac7f8e>] dev_attr_show+0x1e/0x50 [42022.000803] [<ffffffff86a3eeb1>] sysfs_kf_seq_show+0x81/0xe0 [42022.006508] [<ffffffff86a11134>] seq_read_iter+0xf4/0x410 [42022.011954] [<ffffffff869f4b2e>] vfs_read+0x16e/0x2f0 [42022.017058] [<ffffffff869f50ee>] ksys_read+0x6e/0xe0 [42022.022073] [<ffffffff8766f1ca>] do_syscall_64+0x6a/0xa0 [42022.027441] [<ffffffff8780013b>] entry_SYSCALL_64_after_hwframe+0x78/0xe2 The problem can be reproduced using the following steps: ip netns add foo ip netns exec foo bash cat /sys/class/infiniband/mlx4_0/hw_counters/* The panic occurs because of casting the device pointer into an ib_device pointer using container_of() in hw_stat_device_show() is wrong and leads to a memory corruption. However the real problem is that hw counters should never been exposed outside of the non-init net namespace. Fix this by saving the index of the corresponding attribute group (it might be 1 or 2 depending on the presence of driver-specific attributes) and zeroing the pointer to hw_counters group for compat devices during the initialization. With this fix applied hw_counters are not available in a non-init net namespace: find /sys/class/infiniband/mlx4_0/ -name hw_counters /sys/class/infiniband/mlx4_0/ports/1/hw_counters /sys/class/infiniband/mlx4_0/ports/2/hw_counters /sys/class/infiniband/mlx4_0/hw_counters ip netns add foo ip netns exec foo bash find /sys/class/infiniband/mlx4_0/ -name hw_counters
AI Analysis
Technical Summary
CVE-2025-22089 is a vulnerability in the Linux kernel related to the RDMA (Remote Direct Memory Access) core subsystem, specifically concerning the exposure of hardware counters (hw_counters) outside the initial network namespace (init net namespace). The vulnerability arises from a commit (467f432a521a) that split port and device counter sysfs attributes but inadvertently allowed partial exposure of hw_counters to non-init network namespaces. Although attempts to read these counters outside the init namespace cause a kernel crash due to a NULL pointer dereference, the root cause is improper handling of device pointers in the hw_stat_device_show() function. This function incorrectly casts a device pointer to an ib_device pointer using container_of(), leading to memory corruption and a kernel panic. The issue can be reproduced by creating a new network namespace and attempting to read the hw_counters sysfs entries for an Infiniband device, which triggers the crash. The underlying problem is that hw_counters should never be accessible outside the init net namespace, as these counters are sensitive kernel objects tied to device state. The fix involves saving the index of the corresponding attribute group during initialization and zeroing the pointer to the hw_counters group for compatibility devices, preventing their exposure in non-init namespaces. This vulnerability affects Linux kernel versions containing the specified commit and impacts systems using RDMA-capable Infiniband devices. While no known exploits are reported in the wild, the flaw can cause denial of service (kernel panic) when triggered, potentially impacting system stability and availability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments running Linux kernels with the affected commit and utilizing RDMA-capable hardware, such as Infiniband devices, which are common in high-performance computing (HPC), data centers, and enterprise networking infrastructure. The vulnerability can be exploited to cause a denial of service by crashing the kernel when an unprivileged user or process in a non-init network namespace attempts to access the hw_counters sysfs entries. This could disrupt critical services, especially in sectors relying on stable and high-throughput networking, such as financial services, research institutions, telecommunications, and cloud providers. Although the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting kernel panic could lead to downtime, data loss, or interruption of sensitive operations. Additionally, multi-tenant environments using network namespaces for containerization or virtualization could be affected if untrusted tenants trigger the vulnerability, impacting service availability and potentially leading to cascading failures in shared infrastructure.
Mitigation Recommendations
European organizations should apply the Linux kernel patch that addresses this vulnerability by properly restricting access to hw_counters outside the init network namespace. Specifically, system administrators should: 1) Identify and update all Linux systems running affected kernel versions containing commit 467f432a521a or later versions that include the fix. 2) Audit usage of network namespaces and RDMA hardware to ensure that unprivileged users or containers do not have access to sensitive sysfs entries related to hw_counters. 3) Implement strict access controls and namespace isolation policies to prevent unauthorized access to kernel device attributes. 4) Monitor kernel logs for signs of NULL pointer dereferences or kernel panics related to ib_core or hw_counters to detect attempted exploitation. 5) For environments where immediate patching is not feasible, consider disabling RDMA hardware or restricting access to Infiniband devices until the patch can be applied. 6) Engage with hardware and Linux distribution vendors to ensure timely receipt of security updates and verify that kernel versions in use include the fix. These steps go beyond generic advice by focusing on the specific subsystem and usage patterns that expose the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Switzerland, Italy
CVE-2025-22089: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Don't expose hw_counters outside of init net namespace Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes") accidentally almost exposed hw counters to non-init net namespaces. It didn't expose them fully, as an attempt to read any of those counters leads to a crash like this one: [42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028 [42021.814463] #PF: supervisor read access in kernel mode [42021.819549] #PF: error_code(0x0000) - not-present page [42021.824636] PGD 0 P4D 0 [42021.827145] Oops: 0000 [#1] SMP PTI [42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX [42021.841697] Hardware name: XXX [42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core] [42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48 [42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287 [42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000 [42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0 [42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000 [42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530 [42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000 [42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000 [42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0 [42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [42021.949324] Call Trace: [42021.951756] <TASK> [42021.953842] [<ffffffff86c58674>] ? show_regs+0x64/0x70 [42021.959030] [<ffffffff86c58468>] ? __die+0x78/0xc0 [42021.963874] [<ffffffff86c9ef75>] ? page_fault_oops+0x2b5/0x3b0 [42021.969749] [<ffffffff87674b92>] ? exc_page_fault+0x1a2/0x3c0 [42021.975549] [<ffffffff87801326>] ? asm_exc_page_fault+0x26/0x30 [42021.981517] [<ffffffffc0775680>] ? __pfx_show_hw_stats+0x10/0x10 [ib_core] [42021.988482] [<ffffffffc077564e>] ? hw_stat_device_show+0x1e/0x40 [ib_core] [42021.995438] [<ffffffff86ac7f8e>] dev_attr_show+0x1e/0x50 [42022.000803] [<ffffffff86a3eeb1>] sysfs_kf_seq_show+0x81/0xe0 [42022.006508] [<ffffffff86a11134>] seq_read_iter+0xf4/0x410 [42022.011954] [<ffffffff869f4b2e>] vfs_read+0x16e/0x2f0 [42022.017058] [<ffffffff869f50ee>] ksys_read+0x6e/0xe0 [42022.022073] [<ffffffff8766f1ca>] do_syscall_64+0x6a/0xa0 [42022.027441] [<ffffffff8780013b>] entry_SYSCALL_64_after_hwframe+0x78/0xe2 The problem can be reproduced using the following steps: ip netns add foo ip netns exec foo bash cat /sys/class/infiniband/mlx4_0/hw_counters/* The panic occurs because of casting the device pointer into an ib_device pointer using container_of() in hw_stat_device_show() is wrong and leads to a memory corruption. However the real problem is that hw counters should never been exposed outside of the non-init net namespace. Fix this by saving the index of the corresponding attribute group (it might be 1 or 2 depending on the presence of driver-specific attributes) and zeroing the pointer to hw_counters group for compat devices during the initialization. With this fix applied hw_counters are not available in a non-init net namespace: find /sys/class/infiniband/mlx4_0/ -name hw_counters /sys/class/infiniband/mlx4_0/ports/1/hw_counters /sys/class/infiniband/mlx4_0/ports/2/hw_counters /sys/class/infiniband/mlx4_0/hw_counters ip netns add foo ip netns exec foo bash find /sys/class/infiniband/mlx4_0/ -name hw_counters
AI-Powered Analysis
Technical Analysis
CVE-2025-22089 is a vulnerability in the Linux kernel related to the RDMA (Remote Direct Memory Access) core subsystem, specifically concerning the exposure of hardware counters (hw_counters) outside the initial network namespace (init net namespace). The vulnerability arises from a commit (467f432a521a) that split port and device counter sysfs attributes but inadvertently allowed partial exposure of hw_counters to non-init network namespaces. Although attempts to read these counters outside the init namespace cause a kernel crash due to a NULL pointer dereference, the root cause is improper handling of device pointers in the hw_stat_device_show() function. This function incorrectly casts a device pointer to an ib_device pointer using container_of(), leading to memory corruption and a kernel panic. The issue can be reproduced by creating a new network namespace and attempting to read the hw_counters sysfs entries for an Infiniband device, which triggers the crash. The underlying problem is that hw_counters should never be accessible outside the init net namespace, as these counters are sensitive kernel objects tied to device state. The fix involves saving the index of the corresponding attribute group during initialization and zeroing the pointer to the hw_counters group for compatibility devices, preventing their exposure in non-init namespaces. This vulnerability affects Linux kernel versions containing the specified commit and impacts systems using RDMA-capable Infiniband devices. While no known exploits are reported in the wild, the flaw can cause denial of service (kernel panic) when triggered, potentially impacting system stability and availability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments running Linux kernels with the affected commit and utilizing RDMA-capable hardware, such as Infiniband devices, which are common in high-performance computing (HPC), data centers, and enterprise networking infrastructure. The vulnerability can be exploited to cause a denial of service by crashing the kernel when an unprivileged user or process in a non-init network namespace attempts to access the hw_counters sysfs entries. This could disrupt critical services, especially in sectors relying on stable and high-throughput networking, such as financial services, research institutions, telecommunications, and cloud providers. Although the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting kernel panic could lead to downtime, data loss, or interruption of sensitive operations. Additionally, multi-tenant environments using network namespaces for containerization or virtualization could be affected if untrusted tenants trigger the vulnerability, impacting service availability and potentially leading to cascading failures in shared infrastructure.
Mitigation Recommendations
European organizations should apply the Linux kernel patch that addresses this vulnerability by properly restricting access to hw_counters outside the init network namespace. Specifically, system administrators should: 1) Identify and update all Linux systems running affected kernel versions containing commit 467f432a521a or later versions that include the fix. 2) Audit usage of network namespaces and RDMA hardware to ensure that unprivileged users or containers do not have access to sensitive sysfs entries related to hw_counters. 3) Implement strict access controls and namespace isolation policies to prevent unauthorized access to kernel device attributes. 4) Monitor kernel logs for signs of NULL pointer dereferences or kernel panics related to ib_core or hw_counters to detect attempted exploitation. 5) For environments where immediate patching is not feasible, consider disabling RDMA hardware or restricting access to Infiniband devices until the patch can be applied. 6) Engage with hardware and Linux distribution vendors to ensure timely receipt of security updates and verify that kernel versions in use include the fix. These steps go beyond generic advice by focusing on the specific subsystem and usage patterns that expose the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.817Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe8097
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 9:10:27 PM
Last updated: 8/11/2025, 12:16:32 PM
Views: 9
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.