CVE-2025-71118 Overview
CVE-2025-71118 is a Null Pointer Dereference vulnerability in the Linux kernel's ACPICA (ACPI Component Architecture) subsystem. The vulnerability occurs when the kernel attempts to walk the ACPI Namespace with a NULL start_node, leading to a NULL pointer dereference in the acpi_ns_get_next_node() function. This issue was discovered affecting systems with certain malformed DSDT (Differentiated System Description Table) tables, specifically identified on Honor Magicbook 14 Pro laptops.
Critical Impact
Systems with affected BIOS/DSDT configurations may experience kernel crashes during ACPI namespace traversal, resulting in denial of service conditions and system instability.
Affected Products
- Linux kernel (multiple versions)
- Systems with Honor FMB-P/FMB-P-PCB motherboard with BIOS 1.13 (05/08/2025)
- Other systems with malformed DSDT tables that result in NULL start_node values
Discovery Timeline
- 2026-01-14 - CVE-2025-71118 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2025-71118
Vulnerability Analysis
This vulnerability resides in the ACPICA component of the Linux kernel, specifically in the ACPI namespace walking functionality. While a previous fix (commit 0c9992315e73) addressed scenarios where both start_node and acpi_gbl_root_node were NULL, it did not account for cases where only start_node is NULL while acpi_gbl_root_node remains valid.
The flaw manifests when the kernel accesses the parent_node member during namespace traversal in acpi_ns_get_next_node(). The NULL pointer dereference occurs regardless of whether start_node equals ACPI_ROOT_OBJECT, making the check placement critical for proper protection against this condition.
Root Cause
The root cause of this vulnerability is insufficient NULL pointer validation in the ACPI namespace walking code. The original fix placed the start_node NULL check inside a conditional block, which allowed code paths where start_node could still be NULL when accessing its members. The fix moves the NULL check outside of the if block to ensure it is always evaluated before any member access occurs.
The issue is triggered by malformed DSDT tables in certain device firmware. In the case of the Honor Magicbook 14 Pro, the BIOS (version 1.13, dated 05/08/2025) provides a DSDT table that results in a NULL start_node being passed to the namespace walking functions. The vendor (Honor) has reportedly refused to provide technical support for Linux, leaving the kernel developers to implement defensive checks against such firmware issues.
Attack Vector
The vulnerability is primarily triggered through:
- Malformed Firmware Tables: Systems with improperly constructed ACPI DSDT tables can trigger this vulnerability during normal boot or ACPI operations
- Specific Hardware Configurations: The Honor FMB-P/FMB-P-PCB platform with BIOS 1.13 is known to trigger this issue
- ACPI Namespace Operations: Any kernel operation that triggers ACPI namespace walking with a corrupted or NULL start node reference
The attack vector does not require user interaction and is triggered automatically during system initialization or ACPI-related kernel operations on affected hardware configurations.
Detection Methods for CVE-2025-71118
Indicators of Compromise
- Kernel panic or crash messages referencing acpi_ns_get_next_node() or ACPICA namespace operations
- System logs showing NULL pointer dereference in ACPI-related kernel functions
- Unexpected system reboots during boot phase or ACPI-related operations
- Presence of Honor FMB-P/FMB-P-PCB hardware with BIOS version 1.13
Detection Strategies
- Monitor kernel logs (dmesg) for NULL pointer dereference errors in ACPI subsystem functions
- Implement automated scanning for kernel crash dumps containing ACPICA-related stack traces
- Check DMI information for known affected hardware platforms (Honor FMB-P/FMB-P-PCB)
- Audit DSDT tables using ACPI tools (acpidump, iasl) for malformed entries
Monitoring Recommendations
- Configure kernel crash dump collection (kdump) to capture detailed information on system crashes
- Set up monitoring for kernel oops/panic events specifically in ACPI subsystem paths
- Implement hardware inventory tracking to identify systems with known affected firmware
- Monitor for repeated system instability patterns during boot or ACPI operations
How to Mitigate CVE-2025-71118
Immediate Actions Required
- Update the Linux kernel to a version containing the fix commits
- Review and identify any systems running on Honor FMB-P/FMB-P-PCB hardware or similar affected platforms
- Consider disabling or limiting ACPI functionality on affected systems if kernel updates are not immediately available
- Implement kernel panic monitoring to detect exploitation attempts or triggered instances
Patch Information
The vulnerability has been addressed through multiple commits to the Linux kernel stable branches. Patches are available through the following kernel git commits:
- Kernel Git Commit 0d8bb081
- Kernel Git Commit 1bc34293
- Kernel Git Commit 7f9b951e
- Kernel Git Commit 9d6c58da
- Kernel Git Commit b84edef4
- Kernel Git Commit ecb29628
- Kernel Git Commit f91dad0a
Organizations should update to the latest stable kernel version that includes these fixes.
Workarounds
- If kernel updates cannot be immediately applied, consider using the acpi=off kernel boot parameter to disable ACPI entirely (note: this may significantly impact system functionality)
- On virtualized systems, ensure the virtual firmware/BIOS provides valid ACPI tables
- For affected Honor hardware, check for BIOS updates that may correct the malformed DSDT table
- Implement system monitoring to detect and automatically recover from kernel crashes
# Check current kernel version and verify patch status
uname -r
# View ACPI-related kernel messages for potential issues
dmesg | grep -i acpi
# Dump DSDT table for analysis (requires acpidump tool)
sudo acpidump -b -o dsdt.dat
# Disassemble DSDT for inspection (requires iasl tool)
iasl -d dsdt.dat
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
