Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71135

CVE-2025-71135: Linux Kernel RAID5 Null Pointer Vulnerability

CVE-2025-71135 is a null pointer dereference vulnerability in Linux kernel's md/raid5 subsystem that can cause system crashes. This article covers the technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-71135 Overview

CVE-2025-71135 is a null pointer dereference vulnerability in the Linux kernel's md/raid5 subsystem, specifically within the raid5_store_group_thread_cnt() function. This vulnerability occurs when the mddev->private pointer is assigned to the conf variable but is not properly validated before being dereferenced in subsequent calls to raid5_quiesce().

Critical Impact

A null pointer dereference in the Linux kernel's RAID5 subsystem could lead to kernel panics and system crashes, potentially causing denial of service conditions on affected systems running software RAID5 configurations.

Affected Products

  • Linux Kernel (md/raid5 subsystem)
  • Systems using software RAID5 configurations
  • Linux distributions with unpatched kernel versions

Discovery Timeline

  • 2026-01-14 - CVE CVE-2025-71135 published to NVD
  • 2026-01-14 - Last updated in NVD database

Technical Details for CVE-2025-71135

Vulnerability Analysis

The vulnerability exists in the raid5_store_group_thread_cnt() function where proper null pointer validation is incomplete. While the code does check if conf is NULL after assigning mddev->private to it, the function continues execution and calls raid5_quiesce() even when the validation should have prevented this path.

Inside raid5_quiesce(), the mddev->private pointer is assigned to conf again and subsequently dereferenced in multiple locations, including accessing conf->quiesce and calling wake_up(&conf->wait_for_quiescent). When mddev->private is NULL, these dereferences result in a null pointer dereference condition.

Root Cause

The root cause is improper control flow handling after detecting a NULL conf pointer. The existing null check fails to properly exit the function before raid5_quiesce() is invoked. The correct behavior, as implemented in similar functions like raid5_change_consistency_policy(), is to unlock mddev and return from the function immediately when conf is determined to be NULL, preventing any subsequent code from attempting to dereference the null pointer.

Attack Vector

The attack vector for this vulnerability is local, requiring access to the system to trigger the condition. An attacker or malicious local user could potentially trigger this vulnerability by manipulating RAID5 configuration parameters through the sysfs interface, specifically by writing to the group_thread_cnt attribute when the RAID array is in an uninitialized or partially configured state.

The vulnerability is triggered through the following sequence:

  1. A RAID5 array is in a state where mddev->private is NULL
  2. A write operation targets the group_thread_cnt sysfs attribute
  3. raid5_store_group_thread_cnt() is invoked
  4. The function proceeds to call raid5_quiesce() despite the NULL condition
  5. Null pointer dereference occurs when accessing conf members

Detection Methods for CVE-2025-71135

Indicators of Compromise

  • Kernel panic messages referencing raid5_quiesce or raid5_store_group_thread_cnt
  • System crashes during RAID5 configuration changes
  • Unexpected kernel oops events in systems running software RAID5

Detection Strategies

  • Monitor kernel logs for null pointer dereference errors in the md/raid5 subsystem
  • Implement kernel crash dump analysis to identify exploitation attempts
  • Enable kernel address sanitizer (KASAN) to detect null pointer dereferences during testing

Monitoring Recommendations

  • Configure persistent kernel logging to capture crash events before system reboot
  • Deploy endpoint detection and response (EDR) solutions capable of monitoring kernel-level anomalies
  • Review system stability logs for patterns of RAID5-related crashes

How to Mitigate CVE-2025-71135

Immediate Actions Required

  • Update to a patched Linux kernel version that includes the fix for CVE-2025-71135
  • Review kernel configurations on systems using software RAID5
  • Restrict access to sysfs RAID configuration interfaces to privileged users only

Patch Information

The Linux kernel development team has released patches to address this vulnerability. The fix ensures that the function properly unlocks mddev and returns immediately when conf is NULL, preventing the null pointer dereference condition.

Patches are available through the following kernel.org commits:

Workarounds

  • Limit access to the RAID5 sysfs attributes by restricting permissions on /sys/block/md*/md/group_thread_cnt
  • Monitor and restrict unprivileged user access to RAID management utilities
  • Consider using hardware RAID controllers instead of software RAID5 on critical systems until patches are applied
bash
# Restrict access to RAID5 group_thread_cnt sysfs attribute
chmod 600 /sys/block/md*/md/group_thread_cnt

# Verify RAID array status before configuration changes
cat /proc/mdstat

# Check kernel version for patch status
uname -r

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.