PT-2025-16558 · Linux+7 · Linux Kernel+7
Published
2025-03-25
·
Updated
2026-04-20
·
CVE-2025-22018
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 6.14.0-rc2
Description
A null pointer dereference vulnerability has been identified in the Linux kernel. The issue arises when the
MPOA cache impos rcvd() function receives a message and both the entry and holding time are null. This can trigger a null pointer dereference vulnerability. The vulnerability is related to the eg cache remove entry() function, which is called by MPOA cache impos rcvd(). The kasan log indicates a general protection fault, probably for a non-canonical address.Recommendations
To resolve the issue, update the Linux kernel to a version later than 6.14.0-rc2. As a temporary workaround, consider disabling the
eg cache remove entry() function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the entry and holding time parameters in the affected API endpoint until the issue is resolved.Exploit
Fix
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Debian
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu