Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71313

CVE-2025-71313: Linux Kernel Use-After-Free Vulnerability

CVE-2025-71313 is a use-after-free flaw in the Linux kernel PCI endpoint that may lead to NULL pointer dereference. This article covers the technical details, affected versions, security impact, and mitigation steps.

Published:

CVE-2025-71313 Overview

CVE-2025-71313 is a NULL pointer dereference vulnerability in the Linux kernel's PCI endpoint subsystem. The flaw resides in the Non-Transparent Bridge (NTB) endpoint function driver, specifically in epf_ntb_epc_init(). The function calls alloc_workqueue() without validating its return value, which can be NULL when memory allocation fails.

When the kernel subsequently invokes queue_work() with the unchecked pointer, it dereferences NULL memory and triggers a kernel-level fault. The upstream fix adds a NULL check after alloc_workqueue() and returns -ENOMEM on failure, preventing the driver from loading with an invalid workqueue pointer.

Critical Impact

A failed workqueue allocation in the PCI endpoint NTB driver causes a kernel NULL pointer dereference, resulting in a denial-of-service condition on affected Linux systems.

Affected Products

  • Linux kernel (PCI endpoint subsystem, NTB endpoint function driver)
  • Distributions shipping the affected pci-epf-ntb driver prior to the upstream fix
  • Embedded and server platforms using PCI endpoint functionality

Discovery Timeline

  • 2026-06-03 - CVE-2025-71313 published to NVD
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2025-71313

Vulnerability Analysis

The vulnerability is a classic missing-return-value-check issue in kernel driver initialization. The PCI endpoint NTB driver (pci-epf-ntb) creates a workqueue during initialization to handle deferred work for the endpoint function. The original code assumed alloc_workqueue() would always succeed.

Under memory pressure or constrained allocation contexts, alloc_workqueue() returns NULL. The driver continued initialization with this NULL pointer and stored it for later use by queue_work(). When work was queued, the kernel dereferenced the NULL pointer, producing an oops and likely a kernel panic depending on configuration.

This class of bug aligns with [CWE-476: NULL Pointer Dereference] and is common when developers omit error handling for allocation primitives in initialization paths.

Root Cause

The root cause is the absence of a NULL check on the return value of alloc_workqueue() inside epf_ntb_epc_init(). Memory allocation functions in the Linux kernel can fail, and callers must validate the result before proceeding. The driver propagated an invalid pointer into the function's runtime state, deferring the fault to the first queue_work() call.

Attack Vector

Triggering the condition requires the system to attempt loading or initializing the PCI endpoint NTB function under low-memory conditions. The fault occurs in kernel context and is generally not remotely exploitable. The practical impact is local denial of service rather than code execution or privilege escalation, since the dereference happens on a NULL pointer with no attacker-controlled data.

For technical details, see the Kernel.org commit 03f336a8 and the follow-up commit 314eab67.

Detection Methods for CVE-2025-71313

Indicators of Compromise

  • Kernel oops messages referencing epf_ntb_epc_init or queue_work with a NULL dereference at low addresses
  • dmesg entries showing BUG: kernel NULL pointer dereference correlated with PCI endpoint driver loading
  • Unexpected kernel panics on systems exercising the pci-epf-ntb module under memory pressure

Detection Strategies

  • Inventory running kernels and identify hosts loading the pci-epf-ntb module via lsmod or /proc/modules
  • Compare installed kernel package versions against distribution security advisories that backport the upstream fix
  • Monitor kernel logs centrally for NULL pointer dereference traces involving PCI endpoint symbols

Monitoring Recommendations

  • Forward /var/log/kern.log and journald kernel facility entries to centralized logging for review
  • Alert on repeated kernel oops or panic events tied to PCI endpoint initialization
  • Track memory pressure metrics on systems using PCI endpoint functionality to correlate with driver failures

How to Mitigate CVE-2025-71313

Immediate Actions Required

  • Apply the upstream Linux kernel patch that introduces the NULL check after alloc_workqueue() in epf_ntb_epc_init()
  • Update to a kernel build that includes commits 03f336a8 and 314eab67 from the stable tree
  • Unload the pci-epf-ntb module on systems that do not require PCI endpoint NTB functionality

Patch Information

The fix is available in the Linux stable tree. Reference commits: 03f336a869b3 and 314eab6740bc. The patch adds a NULL check immediately after alloc_workqueue() and returns -ENOMEM on allocation failure, preventing the driver from registering with an invalid workqueue pointer.

Workarounds

  • Blacklist the pci-epf-ntb module on systems that do not use PCI endpoint NTB functionality
  • Maintain adequate free memory and avoid initializing the driver under known memory-pressure conditions
  • Restrict load permissions for kernel modules to administrative users only
bash
# Blacklist the affected module until the patched kernel is deployed
echo "blacklist pci_epf_ntb" | sudo tee /etc/modprobe.d/blacklist-pci-epf-ntb.conf
sudo depmod -a
sudo update-initramfs -u

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.