Skip to main content

Linux Kernel EUVD-2025-209675

| CVE-2025-71285 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-06 Linux GHSA-7g25-3chf-ppwr
Denial Of Service Linux Null Pointer Dereference Red Hat Suse
5.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 00:00 vuln.today
CVSS changed
May 12, 2026 - 21:37 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:02 EUVD
CVE Published
May 06, 2026 - 11:32 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels

MHI stack offers the 'auto_queue' feature, which allows the MHI stack to auto queue the buffers for the RX path (DL channel). Though this feature simplifies the client driver design, it introduces race between the client drivers and the MHI stack. For instance, with auto_queue, the 'dl_callback' for the DL channel may get called before the client driver is fully probed. This means, by the time the dl_callback gets called, the client driver's structures might not be initialized, leading to NULL ptr dereference.

Currently, the drivers have to workaround this issue by initializing the internal structures before calling mhi_prepare_for_transfer_autoqueue(). But even so, there is a chance that the client driver's internal code path may call the MHI queue APIs before mhi_prepare_for_transfer_autoqueue() is called, leading to similar NULL ptr dereference. This issue has been reported on the Qcom X1E80100 CRD machines affecting boot.

So to properly fix all these races, drop the MHI 'auto_queue' feature altogether and let the client driver (QRTR) manage the RX buffers manually. In the QRTR driver, queue the RX buffers based on the ring length during probe and recycle the buffers in 'dl_callback' once they are consumed. This also warrants removing the setting of 'auto_queue' flag from controller drivers.

Currently, this 'auto_queue' feature is only enabled for IPCR DL channel. So only the QRTR client driver requires the modification.

AnalysisAI

Null pointer dereference in the Linux kernel QRTR (Qualcomm IPC Router) driver via MHI auto_queue feature causes denial of service on Qualcomm X1E80100 CRD machines during boot. The vulnerability occurs when the MHI stack invokes the DL (downlink) callback before the QRTR client driver is fully probed, accessing uninitialized driver structures. A local privileged attacker can trigger kernel panic by exploiting the race condition between MHI buffer auto-queuing and driver initialization, affecting systems relying on QRTR over MHI transport.

Technical ContextAI

The vulnerability exists in the QRTR driver's integration with the Modem Host Interface (MHI) stack, which is used for communication with Qualcomm modems. The MHI stack provides an 'auto_queue' feature that automatically queues receive buffers for downlink (DL) channels without requiring explicit management by the client driver. However, this feature introduces a critical race condition: the MHI stack may invoke the dl_callback handler before the QRTR driver completes its probe sequence, at which point internal data structures (rings, callbacks, buffers) are not yet initialized. This leads to CWE-476 (Null Pointer Dereference) when the callback attempts to access these uninitialized pointers. The fix removes the auto_queue mechanism entirely, requiring the QRTR driver to manually manage RX buffer lifecycle during probe and recycle consumed buffers in the dl_callback.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.17 or later for 6.18.x, 6.19.6 or later for 6.19.x, or 7.0 for 7.x branches. Apply commits 7bdff9b9b0c65ac7105416fe3a40686832515e20, 8c464e00e0754e016816b1860fa9592dcad80eb2, or 51731792a25cb312ca94cdccfa139eb46de1b2ef depending on kernel branch. For affected Qualcomm X1E80100 CRD devices or similar platforms using QRTR, prioritize kernel updates to resolve boot-time crashes. No workaround exists without the fix since the race condition is inherent to the auto_queue mechanism; devices must update kernel to restore stability. References: https://git.kernel.org/stable/c/7bdff9b9b0c65ac7105416fe3a40686832515e20

More from same product – last 7 days

CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
CVE-2026-47334 MEDIUM
5.5 May 28

Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect
CVE-2026-47335 MEDIUM
5.5 May 28

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic
CVE-2026-47327 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th

Vendor StatusVendor

Share

EUVD-2025-209675 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy