CVE-2025-22094: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: powerpc/perf: Fix ref-counting on the PMU 'vpa_pmu' Commit 176cda0619b6 ("powerpc/perf: Add perf interface to expose vpa counters") introduced 'vpa_pmu' to expose Book3s-HV nested APIv2 provided L1<->L2 context switch latency counters to L1 user-space via perf-events. However the newly introduced PMU named 'vpa_pmu' doesn't assign ownership of the PMU to the module 'vpa_pmu'. Consequently the module 'vpa_pmu' can be unloaded while one of the perf-events are still active, which can lead to kernel oops and panic of the form below on a Pseries-LPAR: BUG: Kernel NULL pointer dereference on read at 0x00000058 <snip> NIP [c000000000506cb8] event_sched_out+0x40/0x258 LR [c00000000050e8a4] __perf_remove_from_context+0x7c/0x2b0 Call Trace: [c00000025fc3fc30] [c00000025f8457a8] 0xc00000025f8457a8 (unreliable) [c00000025fc3fc80] [fffffffffffffee0] 0xfffffffffffffee0 [c00000025fc3fcd0] [c000000000501e70] event_function+0xa8/0x120 <snip> Kernel panic - not syncing: Aiee, killing interrupt handler! Fix this by adding the module ownership to 'vpa_pmu' so that the module 'vpa_pmu' is ref-counted and prevented from being unloaded when perf-events are initialized.
AI Analysis
Technical Summary
CVE-2025-22094 is a vulnerability found in the Linux kernel specifically related to the PowerPC architecture's performance monitoring unit (PMU) named 'vpa_pmu'. This PMU was introduced to expose Book3s-HV nested APIv2 L1 to L2 context switch latency counters to L1 user-space via perf-events. The vulnerability stems from improper reference counting of the 'vpa_pmu' kernel module. The module does not assign ownership to itself, which means it can be unloaded while perf-events that depend on it are still active. This leads to a use-after-free condition causing a NULL pointer dereference in kernel space, resulting in kernel oops and potential kernel panic on affected systems, specifically Pseries Logical Partitions (LPARs). The kernel panic manifests as a crash with messages indicating a NULL pointer dereference during event scheduling and perf-event removal. The root cause is the missing module reference count increment that would normally prevent unloading while the PMU is in use. The fix involves adding proper module ownership and reference counting to the 'vpa_pmu' module to prevent unloading during active perf-events, thereby eliminating the race condition and preventing kernel crashes. This vulnerability affects Linux kernel versions containing the specific commit 176cda0619b6c17a553625f6e2fcbc3981ad667d and likely subsequent versions until patched. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations running Linux on PowerPC-based systems, particularly IBM Pseries LPARs, this vulnerability poses a risk of system instability and denial of service due to kernel panics. Such crashes can disrupt critical workloads, especially in enterprise environments relying on virtualization and nested performance monitoring. The impact is primarily on availability, as kernel panics cause abrupt system halts requiring reboots and potentially leading to data loss or service downtime. Confidentiality and integrity impacts are minimal since the vulnerability does not allow privilege escalation or arbitrary code execution. However, the disruption of services can affect business continuity, especially in sectors like finance, manufacturing, and government institutions that may use PowerPC-based Linux servers. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to avoid accidental or malicious triggering of kernel panics. Organizations using perf-events for performance monitoring on affected systems are particularly vulnerable during active monitoring sessions.
Mitigation Recommendations
1. Apply the official Linux kernel patch that adds proper module ownership and reference counting to the 'vpa_pmu' module as soon as it becomes available from trusted Linux kernel maintainers or distributors. 2. Until patched, avoid unloading the 'vpa_pmu' module while perf-events are active to prevent triggering the race condition. 3. Limit or disable the use of perf-events related to 'vpa_pmu' on affected PowerPC systems if feasible, especially in production environments. 4. Implement monitoring and alerting for kernel oops or panic messages related to perf-events and 'vpa_pmu' to detect potential exploitation or accidental triggers early. 5. Conduct thorough testing of kernel updates in staging environments before deployment to ensure stability. 6. Maintain up-to-date backups and disaster recovery plans to mitigate downtime caused by unexpected kernel panics. 7. Engage with Linux distribution vendors for timely security advisories and patches relevant to PowerPC platforms.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden
CVE-2025-22094: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/perf: Fix ref-counting on the PMU 'vpa_pmu' Commit 176cda0619b6 ("powerpc/perf: Add perf interface to expose vpa counters") introduced 'vpa_pmu' to expose Book3s-HV nested APIv2 provided L1<->L2 context switch latency counters to L1 user-space via perf-events. However the newly introduced PMU named 'vpa_pmu' doesn't assign ownership of the PMU to the module 'vpa_pmu'. Consequently the module 'vpa_pmu' can be unloaded while one of the perf-events are still active, which can lead to kernel oops and panic of the form below on a Pseries-LPAR: BUG: Kernel NULL pointer dereference on read at 0x00000058 <snip> NIP [c000000000506cb8] event_sched_out+0x40/0x258 LR [c00000000050e8a4] __perf_remove_from_context+0x7c/0x2b0 Call Trace: [c00000025fc3fc30] [c00000025f8457a8] 0xc00000025f8457a8 (unreliable) [c00000025fc3fc80] [fffffffffffffee0] 0xfffffffffffffee0 [c00000025fc3fcd0] [c000000000501e70] event_function+0xa8/0x120 <snip> Kernel panic - not syncing: Aiee, killing interrupt handler! Fix this by adding the module ownership to 'vpa_pmu' so that the module 'vpa_pmu' is ref-counted and prevented from being unloaded when perf-events are initialized.
AI-Powered Analysis
Technical Analysis
CVE-2025-22094 is a vulnerability found in the Linux kernel specifically related to the PowerPC architecture's performance monitoring unit (PMU) named 'vpa_pmu'. This PMU was introduced to expose Book3s-HV nested APIv2 L1 to L2 context switch latency counters to L1 user-space via perf-events. The vulnerability stems from improper reference counting of the 'vpa_pmu' kernel module. The module does not assign ownership to itself, which means it can be unloaded while perf-events that depend on it are still active. This leads to a use-after-free condition causing a NULL pointer dereference in kernel space, resulting in kernel oops and potential kernel panic on affected systems, specifically Pseries Logical Partitions (LPARs). The kernel panic manifests as a crash with messages indicating a NULL pointer dereference during event scheduling and perf-event removal. The root cause is the missing module reference count increment that would normally prevent unloading while the PMU is in use. The fix involves adding proper module ownership and reference counting to the 'vpa_pmu' module to prevent unloading during active perf-events, thereby eliminating the race condition and preventing kernel crashes. This vulnerability affects Linux kernel versions containing the specific commit 176cda0619b6c17a553625f6e2fcbc3981ad667d and likely subsequent versions until patched. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations running Linux on PowerPC-based systems, particularly IBM Pseries LPARs, this vulnerability poses a risk of system instability and denial of service due to kernel panics. Such crashes can disrupt critical workloads, especially in enterprise environments relying on virtualization and nested performance monitoring. The impact is primarily on availability, as kernel panics cause abrupt system halts requiring reboots and potentially leading to data loss or service downtime. Confidentiality and integrity impacts are minimal since the vulnerability does not allow privilege escalation or arbitrary code execution. However, the disruption of services can affect business continuity, especially in sectors like finance, manufacturing, and government institutions that may use PowerPC-based Linux servers. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to avoid accidental or malicious triggering of kernel panics. Organizations using perf-events for performance monitoring on affected systems are particularly vulnerable during active monitoring sessions.
Mitigation Recommendations
1. Apply the official Linux kernel patch that adds proper module ownership and reference counting to the 'vpa_pmu' module as soon as it becomes available from trusted Linux kernel maintainers or distributors. 2. Until patched, avoid unloading the 'vpa_pmu' module while perf-events are active to prevent triggering the race condition. 3. Limit or disable the use of perf-events related to 'vpa_pmu' on affected PowerPC systems if feasible, especially in production environments. 4. Implement monitoring and alerting for kernel oops or panic messages related to perf-events and 'vpa_pmu' to detect potential exploitation or accidental triggers early. 5. Conduct thorough testing of kernel updates in staging environments before deployment to ensure stability. 6. Maintain up-to-date backups and disaster recovery plans to mitigate downtime caused by unexpected kernel panics. 7. Engage with Linux distribution vendors for timely security advisories and patches relevant to PowerPC platforms.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.818Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe80c9
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 9:11:49 PM
Last updated: 7/30/2025, 8:25:25 PM
Views: 10
Related Threats
CVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52618: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in HCL Software BigFix SaaS Remediate
MediumCVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
UnknownActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.