CVE-2025-38152: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Clear table_sz when rproc_shutdown There is case as below could trigger kernel dump: Use U-Boot to start remote processor(rproc) with resource table published to a fixed address by rproc. After Kernel boots up, stop the rproc, load a new firmware which doesn't have resource table ,and start rproc. When starting rproc with a firmware not have resource table, `memcpy(loaded_table, rproc->cached_table, rproc->table_sz)` will trigger dump, because rproc->cache_table is set to NULL during the last stop operation, but rproc->table_sz is still valid. This issue is found on i.MX8MP and i.MX9. Dump as below: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af63000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 UID: 0 PID: 1060 Comm: sh Not tainted 6.14.0-rc7-next-20250317-dirty #38 Hardware name: NXP i.MX8MPlus EVK board (DT) pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __pi_memcpy_generic+0x110/0x22c lr : rproc_start+0x88/0x1e0 Call trace: __pi_memcpy_generic+0x110/0x22c (P) rproc_boot+0x198/0x57c state_store+0x40/0x104 dev_attr_store+0x18/0x2c sysfs_kf_write+0x7c/0x94 kernfs_fop_write_iter+0x120/0x1cc vfs_write+0x240/0x378 ksys_write+0x70/0x108 __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x10c el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x30/0xcc el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x19c Clear rproc->table_sz to address the issue.
AI Analysis
Technical Summary
CVE-2025-38152 is a vulnerability identified in the Linux kernel's remote processor (rproc) core subsystem, specifically affecting certain NXP i.MX processors such as the i.MX8MP and i.MX9. The issue arises during the lifecycle management of remote processors, which are auxiliary processors managed by the main Linux kernel. The vulnerability occurs when the remote processor is started with a firmware image that lacks a resource table after previously being stopped with a firmware that included one. Technically, the rproc subsystem maintains a cached resource table pointer (rproc->cached_table) and its size (rproc->table_sz). When stopping the remote processor, the cached_table pointer is cleared (set to NULL), but the table_sz value remains unchanged. If the remote processor is then restarted with a firmware that does not contain a resource table, the kernel attempts to copy the cached table using memcpy(loaded_table, rproc->cached_table, rproc->table_sz). Since cached_table is NULL but table_sz is non-zero, this results in a NULL pointer dereference, causing a kernel oops and system crash (kernel dump). The vulnerability is triggered by a specific sequence: booting the remote processor with a resource table, stopping it, loading new firmware without a resource table, and restarting it. The kernel crash is evidenced by a data abort at virtual address 0x0, indicating a NULL pointer dereference in the memcpy operation. This flaw is rooted in improper state management of the resource table size during rproc shutdown. The fix involves clearing the table_sz field during rproc_shutdown to prevent the kernel from attempting to copy from a NULL pointer. While no known exploits are reported in the wild, the vulnerability can cause denial of service (DoS) by crashing the kernel when the described sequence is executed. The affected Linux kernel versions include several commits identified by the hash 9dc9507f1880fb6225e3e058cb5219b152cbf198, indicating the issue is present in recent development or release candidate kernels as of early 2025. This vulnerability is particularly relevant for embedded Linux systems using NXP i.MX8MP and i.MX9 processors that utilize the remoteproc framework to manage auxiliary cores or DSPs. The issue is a stability and reliability concern that could impact systems relying on these processors for critical functions.
Potential Impact
For European organizations, the impact of CVE-2025-38152 primarily manifests as a potential denial of service (DoS) condition on embedded Linux devices using affected NXP i.MX8MP and i.MX9 processors. These processors are commonly found in industrial control systems, automotive infotainment, IoT gateways, and other embedded applications. A kernel crash on such devices can lead to system downtime, loss of availability of critical services, and potential disruption of operational technology environments. In sectors such as manufacturing, automotive, telecommunications, and critical infrastructure, where embedded Linux devices are prevalent, this vulnerability could interrupt automated processes or communication systems. Although the vulnerability does not directly expose confidentiality or integrity risks, the resulting system instability could indirectly affect business continuity and safety-critical operations. European organizations deploying embedded Linux systems in smart factories, connected vehicles, or network edge devices should be aware of this risk. The absence of known exploits reduces immediate threat levels, but the vulnerability's presence in kernel code means that attackers with local access or firmware update capabilities could intentionally trigger the crash to disrupt services. The impact is thus more significant in environments where remote processor firmware updates are performed dynamically or remotely without strict validation controls. Overall, the threat is moderate but relevant for organizations relying on affected hardware platforms within Europe’s industrial and IoT ecosystems.
Mitigation Recommendations
1. Apply Kernel Updates: Organizations should promptly update their Linux kernels to versions where this vulnerability is patched. The fix involves clearing the rproc->table_sz field during rproc_shutdown to prevent NULL pointer dereference. Monitoring Linux kernel mailing lists and vendor advisories for patches related to CVE-2025-38152 is critical. 2. Firmware Validation: Implement strict validation and integrity checks on remote processor firmware images before deployment. Ensure that firmware updates do not omit the resource table if the system expects it, or handle such cases gracefully. 3. Controlled Firmware Update Procedures: Limit the ability to update remote processor firmware to trusted administrators and secure channels to prevent malicious or accidental deployment of incompatible firmware. 4. Monitoring and Logging: Enhance monitoring of kernel logs and system stability metrics on devices using affected processors to detect early signs of crashes or abnormal behavior related to rproc operations. 5. Redundancy and Failover: For critical systems, design redundancy and failover mechanisms to maintain availability in case of device crashes caused by this vulnerability. 6. Vendor Coordination: Engage with hardware and Linux distribution vendors to obtain patched kernel versions and guidance specific to embedded platforms using i.MX8MP and i.MX9 processors. 7. Testing: Before deploying firmware updates in production, conduct thorough testing in controlled environments to verify that remote processor startup and shutdown sequences do not trigger kernel crashes. These mitigations go beyond generic advice by focusing on firmware lifecycle management, kernel patching, and operational controls specific to embedded Linux environments.
Affected Countries
Germany, France, Italy, Netherlands, Sweden, Finland, Poland, Belgium
CVE-2025-38152: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Clear table_sz when rproc_shutdown There is case as below could trigger kernel dump: Use U-Boot to start remote processor(rproc) with resource table published to a fixed address by rproc. After Kernel boots up, stop the rproc, load a new firmware which doesn't have resource table ,and start rproc. When starting rproc with a firmware not have resource table, `memcpy(loaded_table, rproc->cached_table, rproc->table_sz)` will trigger dump, because rproc->cache_table is set to NULL during the last stop operation, but rproc->table_sz is still valid. This issue is found on i.MX8MP and i.MX9. Dump as below: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af63000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 UID: 0 PID: 1060 Comm: sh Not tainted 6.14.0-rc7-next-20250317-dirty #38 Hardware name: NXP i.MX8MPlus EVK board (DT) pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __pi_memcpy_generic+0x110/0x22c lr : rproc_start+0x88/0x1e0 Call trace: __pi_memcpy_generic+0x110/0x22c (P) rproc_boot+0x198/0x57c state_store+0x40/0x104 dev_attr_store+0x18/0x2c sysfs_kf_write+0x7c/0x94 kernfs_fop_write_iter+0x120/0x1cc vfs_write+0x240/0x378 ksys_write+0x70/0x108 __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x10c el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x30/0xcc el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x19c Clear rproc->table_sz to address the issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-38152 is a vulnerability identified in the Linux kernel's remote processor (rproc) core subsystem, specifically affecting certain NXP i.MX processors such as the i.MX8MP and i.MX9. The issue arises during the lifecycle management of remote processors, which are auxiliary processors managed by the main Linux kernel. The vulnerability occurs when the remote processor is started with a firmware image that lacks a resource table after previously being stopped with a firmware that included one. Technically, the rproc subsystem maintains a cached resource table pointer (rproc->cached_table) and its size (rproc->table_sz). When stopping the remote processor, the cached_table pointer is cleared (set to NULL), but the table_sz value remains unchanged. If the remote processor is then restarted with a firmware that does not contain a resource table, the kernel attempts to copy the cached table using memcpy(loaded_table, rproc->cached_table, rproc->table_sz). Since cached_table is NULL but table_sz is non-zero, this results in a NULL pointer dereference, causing a kernel oops and system crash (kernel dump). The vulnerability is triggered by a specific sequence: booting the remote processor with a resource table, stopping it, loading new firmware without a resource table, and restarting it. The kernel crash is evidenced by a data abort at virtual address 0x0, indicating a NULL pointer dereference in the memcpy operation. This flaw is rooted in improper state management of the resource table size during rproc shutdown. The fix involves clearing the table_sz field during rproc_shutdown to prevent the kernel from attempting to copy from a NULL pointer. While no known exploits are reported in the wild, the vulnerability can cause denial of service (DoS) by crashing the kernel when the described sequence is executed. The affected Linux kernel versions include several commits identified by the hash 9dc9507f1880fb6225e3e058cb5219b152cbf198, indicating the issue is present in recent development or release candidate kernels as of early 2025. This vulnerability is particularly relevant for embedded Linux systems using NXP i.MX8MP and i.MX9 processors that utilize the remoteproc framework to manage auxiliary cores or DSPs. The issue is a stability and reliability concern that could impact systems relying on these processors for critical functions.
Potential Impact
For European organizations, the impact of CVE-2025-38152 primarily manifests as a potential denial of service (DoS) condition on embedded Linux devices using affected NXP i.MX8MP and i.MX9 processors. These processors are commonly found in industrial control systems, automotive infotainment, IoT gateways, and other embedded applications. A kernel crash on such devices can lead to system downtime, loss of availability of critical services, and potential disruption of operational technology environments. In sectors such as manufacturing, automotive, telecommunications, and critical infrastructure, where embedded Linux devices are prevalent, this vulnerability could interrupt automated processes or communication systems. Although the vulnerability does not directly expose confidentiality or integrity risks, the resulting system instability could indirectly affect business continuity and safety-critical operations. European organizations deploying embedded Linux systems in smart factories, connected vehicles, or network edge devices should be aware of this risk. The absence of known exploits reduces immediate threat levels, but the vulnerability's presence in kernel code means that attackers with local access or firmware update capabilities could intentionally trigger the crash to disrupt services. The impact is thus more significant in environments where remote processor firmware updates are performed dynamically or remotely without strict validation controls. Overall, the threat is moderate but relevant for organizations relying on affected hardware platforms within Europe’s industrial and IoT ecosystems.
Mitigation Recommendations
1. Apply Kernel Updates: Organizations should promptly update their Linux kernels to versions where this vulnerability is patched. The fix involves clearing the rproc->table_sz field during rproc_shutdown to prevent NULL pointer dereference. Monitoring Linux kernel mailing lists and vendor advisories for patches related to CVE-2025-38152 is critical. 2. Firmware Validation: Implement strict validation and integrity checks on remote processor firmware images before deployment. Ensure that firmware updates do not omit the resource table if the system expects it, or handle such cases gracefully. 3. Controlled Firmware Update Procedures: Limit the ability to update remote processor firmware to trusted administrators and secure channels to prevent malicious or accidental deployment of incompatible firmware. 4. Monitoring and Logging: Enhance monitoring of kernel logs and system stability metrics on devices using affected processors to detect early signs of crashes or abnormal behavior related to rproc operations. 5. Redundancy and Failover: For critical systems, design redundancy and failover mechanisms to maintain availability in case of device crashes caused by this vulnerability. 6. Vendor Coordination: Engage with hardware and Linux distribution vendors to obtain patched kernel versions and guidance specific to embedded platforms using i.MX8MP and i.MX9 processors. 7. Testing: Before deploying firmware updates in production, conduct thorough testing in controlled environments to verify that remote processor startup and shutdown sequences do not trigger kernel crashes. These mitigations go beyond generic advice by focusing on firmware lifecycle management, kernel patching, and operational controls specific to embedded Linux environments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.989Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe84ca
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 7:27:59 PM
Last updated: 7/29/2025, 12:55:13 PM
Views: 10
Related Threats
CVE-2025-9020: Use After Free in PX4 PX4-Autopilot
LowCVE-2025-8604: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wptb WP Table Builder – WordPress Table Plugin
MediumCVE-2025-9016: Uncontrolled Search Path in Mechrevo Control Center GX V2
HighCVE-2025-8451: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdevteam Essential Addons for Elementor – Popular Elementor Templates & Widgets
MediumCVE-2025-8013: CWE-918 Server-Side Request Forgery (SSRF) in quttera Quttera Web Malware Scanner
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.