CVE-2025-37824: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() syzbot reported: tipc: Node number set to 1055423674 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events tipc_net_finalize_work RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> ... RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 There is a racing condition between workqueue created when enabling bearer and another thread created when disabling bearer right after that as follow: enabling_bearer | disabling_bearer --------------- | ---------------- tipc_disc_timeout() | { | bearer_disable() ... | { schedule_work(&tn->work); | tipc_mon_delete() ... | { } | ... | write_lock_bh(&mon->lock); | mon->self = NULL; | write_unlock_bh(&mon->lock); | ... | } tipc_net_finalize_work() | } { | ... | tipc_net_finalize() | { | ... | tipc_mon_reinit_self() | { | ... | write_lock_bh(&mon->lock); | mon->self->addr = tipc_own_addr(net); | write_unlock_bh(&mon->lock); | ... ---truncated---
AI Analysis
Technical Summary
CVE-2025-37824 is a vulnerability identified in the Linux kernel's Transparent Inter-Process Communication (TIPC) subsystem, specifically within the function tipc_mon_reinit_self(). The issue arises from a race condition between two concurrent threads: one enabling a bearer (a communication channel) and another disabling it immediately afterward. This race condition leads to a NULL pointer dereference, causing a general protection fault and kernel crash. The vulnerability was reported by syzbot, a kernel fuzzing tool, which detected the fault during testing. The root cause involves improper synchronization when accessing and modifying the 'mon->self' pointer under concurrent operations. When the disabling thread sets 'mon->self' to NULL while the enabling thread attempts to dereference it, a NULL pointer dereference occurs, triggering a kernel panic or system crash. The vulnerability affects multiple Linux kernel versions, as indicated by the affected commit hashes, and was patched by introducing proper locking mechanisms to prevent concurrent access issues. The vulnerability does not have a CVSS score assigned yet but is publicly disclosed as of May 8, 2025. No known exploits in the wild have been reported at this time. The technical details show that the flaw can be triggered without user interaction but requires kernel-level operations, likely through specific network or system calls related to TIPC bearer management. The impact is primarily a denial of service (DoS) through kernel crashes, which could be leveraged by attackers with local or possibly network access to disrupt system availability.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily in environments running Linux kernels with TIPC enabled, which is commonly used in clustered or telecom infrastructure systems. The denial of service caused by kernel crashes can disrupt critical services, especially in telecommunications, industrial control systems, and data centers relying on Linux-based servers. Organizations in sectors such as telecommunications, cloud service providers, and critical infrastructure operators could experience outages or degraded service availability. While the vulnerability does not directly lead to privilege escalation or data breach, the resulting instability can be exploited as part of a broader attack chain or cause operational disruptions. Given the widespread use of Linux in European enterprises and public sector infrastructure, the impact could be substantial if exploited at scale or in targeted attacks against key infrastructure. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2025-37824 as soon as they become available from their Linux distribution vendors. 2) Audit and monitor systems that utilize TIPC, particularly in telecom and clustered environments, to detect unusual kernel crashes or system instability. 3) Implement kernel crash monitoring and automated recovery mechanisms to minimize downtime in case of exploitation. 4) Restrict access to systems with TIPC enabled to trusted users and networks to reduce the attack surface. 5) For environments where immediate patching is not feasible, consider disabling TIPC if it is not required, as this will eliminate the vulnerable code path. 6) Engage in proactive vulnerability management and testing, including fuzzing and kernel integrity checks, to detect similar concurrency issues early. 7) Coordinate with Linux distribution maintainers and security teams to ensure timely updates and information sharing.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2025-37824: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() syzbot reported: tipc: Node number set to 1055423674 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events tipc_net_finalize_work RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> ... RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 There is a racing condition between workqueue created when enabling bearer and another thread created when disabling bearer right after that as follow: enabling_bearer | disabling_bearer --------------- | ---------------- tipc_disc_timeout() | { | bearer_disable() ... | { schedule_work(&tn->work); | tipc_mon_delete() ... | { } | ... | write_lock_bh(&mon->lock); | mon->self = NULL; | write_unlock_bh(&mon->lock); | ... | } tipc_net_finalize_work() | } { | ... | tipc_net_finalize() | { | ... | tipc_mon_reinit_self() | { | ... | write_lock_bh(&mon->lock); | mon->self->addr = tipc_own_addr(net); | write_unlock_bh(&mon->lock); | ... ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-37824 is a vulnerability identified in the Linux kernel's Transparent Inter-Process Communication (TIPC) subsystem, specifically within the function tipc_mon_reinit_self(). The issue arises from a race condition between two concurrent threads: one enabling a bearer (a communication channel) and another disabling it immediately afterward. This race condition leads to a NULL pointer dereference, causing a general protection fault and kernel crash. The vulnerability was reported by syzbot, a kernel fuzzing tool, which detected the fault during testing. The root cause involves improper synchronization when accessing and modifying the 'mon->self' pointer under concurrent operations. When the disabling thread sets 'mon->self' to NULL while the enabling thread attempts to dereference it, a NULL pointer dereference occurs, triggering a kernel panic or system crash. The vulnerability affects multiple Linux kernel versions, as indicated by the affected commit hashes, and was patched by introducing proper locking mechanisms to prevent concurrent access issues. The vulnerability does not have a CVSS score assigned yet but is publicly disclosed as of May 8, 2025. No known exploits in the wild have been reported at this time. The technical details show that the flaw can be triggered without user interaction but requires kernel-level operations, likely through specific network or system calls related to TIPC bearer management. The impact is primarily a denial of service (DoS) through kernel crashes, which could be leveraged by attackers with local or possibly network access to disrupt system availability.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily in environments running Linux kernels with TIPC enabled, which is commonly used in clustered or telecom infrastructure systems. The denial of service caused by kernel crashes can disrupt critical services, especially in telecommunications, industrial control systems, and data centers relying on Linux-based servers. Organizations in sectors such as telecommunications, cloud service providers, and critical infrastructure operators could experience outages or degraded service availability. While the vulnerability does not directly lead to privilege escalation or data breach, the resulting instability can be exploited as part of a broader attack chain or cause operational disruptions. Given the widespread use of Linux in European enterprises and public sector infrastructure, the impact could be substantial if exploited at scale or in targeted attacks against key infrastructure. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2025-37824 as soon as they become available from their Linux distribution vendors. 2) Audit and monitor systems that utilize TIPC, particularly in telecom and clustered environments, to detect unusual kernel crashes or system instability. 3) Implement kernel crash monitoring and automated recovery mechanisms to minimize downtime in case of exploitation. 4) Restrict access to systems with TIPC enabled to trusted users and networks to reduce the attack surface. 5) For environments where immediate patching is not feasible, consider disabling TIPC if it is not required, as this will eliminate the vulnerable code path. 6) Engage in proactive vulnerability management and testing, including fuzzing and kernel integrity checks, to detect similar concurrency issues early. 7) Coordinate with Linux distribution maintainers and security teams to ensure timely updates and information sharing.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.950Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9819c4522896dcbd8875
Added to database: 5/21/2025, 9:08:41 AM
Last enriched: 7/3/2025, 11:57:15 PM
Last updated: 7/31/2025, 7:38:23 AM
Views: 19
Related Threats
CVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9087: Stack-based Buffer Overflow in Tenda AC20
HighTop Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.