CVE-2025-71125 Overview
CVE-2025-71125 is a Null Pointer Dereference vulnerability in the Linux kernel's tracing subsystem. The vulnerability occurs when attempting to register perf events for synthetic events, which currently lack a proper registration function. This results in the tracepoint register functions being called with a NULL function pointer, triggering a kernel warning and potential system instability.
Critical Impact
Local users with access to the perf subsystem can trigger kernel warnings and potential denial of service conditions by attempting to register perf events against synthetic trace events.
Affected Products
- Linux Kernel (tracing subsystem)
- Systems using perf with synthetic events functionality
- Linux distributions running vulnerable kernel versions
Discovery Timeline
- January 14, 2026 - CVE-2025-71125 published to NVD
- January 19, 2026 - Last updated in NVD database
Technical Details for CVE-2025-71125
Vulnerability Analysis
The vulnerability exists in the Linux kernel's tracing subsystem, specifically in how synthetic events interact with the perf event registration mechanism. Synthetic events are a feature that allows users to create custom trace events by combining data from other events. However, the synthetic event implementation did not include proper support for perf event registration.
When a user attempts to register a perf event against a synthetic event (such as synthetic:futex_wait), the kernel's synth_event_reg() function is called, which in turn calls tracepoint_probe_register(). Since synthetic events lack the necessary callback function for perf registration, this results in a NULL function pointer being passed to tracepoint_add_func(), triggering a kernel warning at kernel/tracepoint.c:175.
The call trace reveals the execution path: perf_event_open syscall → perf_event_alloc() → perf_try_init_event() → perf_tp_event_init() → perf_trace_init() → perf_trace_event_init() → synth_event_reg() → tracepoint_probe_register() → tracepoint_add_func().
Root Cause
The root cause is a missing implementation for perf event registration in the synthetic events subsystem. The synth_event_reg() function attempts to register a tracepoint probe without providing the required callback function pointer, resulting in NULL being passed where a valid function pointer is expected. The tracepoint infrastructure rightfully warns when attempting to add a function with a NULL pointer.
Attack Vector
The attack vector requires local access to a system with the perf subsystem enabled. An attacker or unprivileged user with perf access can trigger this vulnerability by attempting to record perf events for synthetic trace events using commands such as:
perf record -e synthetic:futex_wait
This command causes the kernel to attempt registration of a perf event against the synthetic event futex_wait, triggering the NULL pointer dereference in the tracepoint registration code. While this primarily results in a kernel warning rather than a full crash, repeated exploitation could impact system stability and fill kernel logs.
Detection Methods for CVE-2025-71125
Indicators of Compromise
- Kernel warnings in dmesg containing WARNING: kernel/tracepoint.c:175 at tracepoint_add_func
- Log entries showing perf commands failing with error code 19 (No such device) for synthetic events
- Unusual perf event registration attempts targeting synthetic event types
Detection Strategies
- Monitor kernel logs (dmesg) for warnings originating from tracepoint_add_func() in kernel/tracepoint.c
- Implement auditd rules to track perf_event_open syscalls with synthetic event parameters
- Deploy host-based monitoring for repeated perf command invocations targeting synthetic events
Monitoring Recommendations
- Enable kernel warning logging and forward to centralized SIEM systems for correlation
- Set up alerts for unusual patterns of kernel tracing subsystem warnings
- Monitor for users repeatedly attempting to access synthetic events via the perf interface
How to Mitigate CVE-2025-71125
Immediate Actions Required
- Update to a patched Linux kernel version that includes the fix
- Restrict access to the perf subsystem using kernel.perf_event_paranoid sysctl settings
- Review and limit user permissions for kernel tracing functionality
Patch Information
The fix modifies the kernel to return -ENODEV instead of proceeding with the NULL function pointer registration. This prevents the kernel warning and provides a clean error message to users attempting to use synthetic events with perf. Multiple kernel commits have been released to address this issue across different kernel branches:
- Linux Kernel Commit 3437c77
- Linux Kernel Commit 65b1971
- Linux Kernel Commit 6819bc6
- Linux Kernel Commit 6d15f08
- Linux Kernel Commit 6df47e5
- Linux Kernel Commit ef7f38d
- Linux Kernel Commit f730569
Workarounds
- Increase the kernel.perf_event_paranoid sysctl value to restrict perf access to privileged users only
- Disable synthetic events if not required in your environment
- Apply SELinux or AppArmor policies to restrict access to the perf subsystem
# Restrict perf access to root only
sysctl -w kernel.perf_event_paranoid=3
# Make the setting persistent
echo "kernel.perf_event_paranoid = 3" >> /etc/sysctl.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
