Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71118

CVE-2025-71118: Linux Kernel Use-After-Free Vulnerability

CVE-2025-71118 is a use-after-free vulnerability in the Linux kernel's ACPICA component that causes NULL pointer dereference crashes. This post explains its technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-71118 Overview

CVE-2025-71118 is a Null Pointer Dereference vulnerability in the Linux kernel's ACPICA (ACPI Component Architecture) subsystem. The vulnerability occurs when the kernel attempts to walk the ACPI Namespace with a NULL start_node, leading to a NULL pointer dereference in the acpi_ns_get_next_node() function. This issue was discovered affecting systems with certain malformed DSDT (Differentiated System Description Table) tables, specifically identified on Honor Magicbook 14 Pro laptops.

Critical Impact

Systems with affected BIOS/DSDT configurations may experience kernel crashes during ACPI namespace traversal, resulting in denial of service conditions and system instability.

Affected Products

  • Linux kernel (multiple versions)
  • Systems with Honor FMB-P/FMB-P-PCB motherboard with BIOS 1.13 (05/08/2025)
  • Other systems with malformed DSDT tables that result in NULL start_node values

Discovery Timeline

  • 2026-01-14 - CVE-2025-71118 published to NVD
  • 2026-01-19 - Last updated in NVD database

Technical Details for CVE-2025-71118

Vulnerability Analysis

This vulnerability resides in the ACPICA component of the Linux kernel, specifically in the ACPI namespace walking functionality. While a previous fix (commit 0c9992315e73) addressed scenarios where both start_node and acpi_gbl_root_node were NULL, it did not account for cases where only start_node is NULL while acpi_gbl_root_node remains valid.

The flaw manifests when the kernel accesses the parent_node member during namespace traversal in acpi_ns_get_next_node(). The NULL pointer dereference occurs regardless of whether start_node equals ACPI_ROOT_OBJECT, making the check placement critical for proper protection against this condition.

Root Cause

The root cause of this vulnerability is insufficient NULL pointer validation in the ACPI namespace walking code. The original fix placed the start_node NULL check inside a conditional block, which allowed code paths where start_node could still be NULL when accessing its members. The fix moves the NULL check outside of the if block to ensure it is always evaluated before any member access occurs.

The issue is triggered by malformed DSDT tables in certain device firmware. In the case of the Honor Magicbook 14 Pro, the BIOS (version 1.13, dated 05/08/2025) provides a DSDT table that results in a NULL start_node being passed to the namespace walking functions. The vendor (Honor) has reportedly refused to provide technical support for Linux, leaving the kernel developers to implement defensive checks against such firmware issues.

Attack Vector

The vulnerability is primarily triggered through:

  1. Malformed Firmware Tables: Systems with improperly constructed ACPI DSDT tables can trigger this vulnerability during normal boot or ACPI operations
  2. Specific Hardware Configurations: The Honor FMB-P/FMB-P-PCB platform with BIOS 1.13 is known to trigger this issue
  3. ACPI Namespace Operations: Any kernel operation that triggers ACPI namespace walking with a corrupted or NULL start node reference

The attack vector does not require user interaction and is triggered automatically during system initialization or ACPI-related kernel operations on affected hardware configurations.

Detection Methods for CVE-2025-71118

Indicators of Compromise

  • Kernel panic or crash messages referencing acpi_ns_get_next_node() or ACPICA namespace operations
  • System logs showing NULL pointer dereference in ACPI-related kernel functions
  • Unexpected system reboots during boot phase or ACPI-related operations
  • Presence of Honor FMB-P/FMB-P-PCB hardware with BIOS version 1.13

Detection Strategies

  • Monitor kernel logs (dmesg) for NULL pointer dereference errors in ACPI subsystem functions
  • Implement automated scanning for kernel crash dumps containing ACPICA-related stack traces
  • Check DMI information for known affected hardware platforms (Honor FMB-P/FMB-P-PCB)
  • Audit DSDT tables using ACPI tools (acpidump, iasl) for malformed entries

Monitoring Recommendations

  • Configure kernel crash dump collection (kdump) to capture detailed information on system crashes
  • Set up monitoring for kernel oops/panic events specifically in ACPI subsystem paths
  • Implement hardware inventory tracking to identify systems with known affected firmware
  • Monitor for repeated system instability patterns during boot or ACPI operations

How to Mitigate CVE-2025-71118

Immediate Actions Required

  • Update the Linux kernel to a version containing the fix commits
  • Review and identify any systems running on Honor FMB-P/FMB-P-PCB hardware or similar affected platforms
  • Consider disabling or limiting ACPI functionality on affected systems if kernel updates are not immediately available
  • Implement kernel panic monitoring to detect exploitation attempts or triggered instances

Patch Information

The vulnerability has been addressed through multiple commits to the Linux kernel stable branches. Patches are available through the following kernel git commits:

Organizations should update to the latest stable kernel version that includes these fixes.

Workarounds

  • If kernel updates cannot be immediately applied, consider using the acpi=off kernel boot parameter to disable ACPI entirely (note: this may significantly impact system functionality)
  • On virtualized systems, ensure the virtual firmware/BIOS provides valid ACPI tables
  • For affected Honor hardware, check for BIOS updates that may correct the malformed DSDT table
  • Implement system monitoring to detect and automatically recover from kernel crashes
bash
# Check current kernel version and verify patch status
uname -r

# View ACPI-related kernel messages for potential issues
dmesg | grep -i acpi

# Dump DSDT table for analysis (requires acpidump tool)
sudo acpidump -b -o dsdt.dat

# Disassemble DSDT for inspection (requires iasl tool)
iasl -d dsdt.dat

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.