Skip to main content

Linux Kernel EUVDEUVD-2025-209680

| CVE-2025-71291 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-06 Linux GHSA-85c9-wpp9-8pg8
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 10:45 vuln.today
CVSS changed
May 13, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:02 EUVD
CVE Published
May 06, 2026 - 11:32 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()

In the function bcm_vk_read(), the pointer entry is checked, indicating that it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the following code may cause null-pointer dereferences:

struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; set_msg_id(&tmp_msg, entry->usr_msg_id); tmp_msg.size = entry->to_h_blks - 1;

To prevent these possible null-pointer dereferences, copy to_h_msg, usr_msg_id, and to_h_blks from iter into temporary variables, and return these temporary variables to the application instead of accessing them through a potentially NULL entry.

AnalysisAI

Null pointer dereference in the Linux kernel's bcm_vk misc driver allows a local authenticated attacker to crash the kernel, resulting in a denial of service. The bcm_vk_read() function checks whether the 'entry' pointer is NULL but fails to prevent subsequent dereferences of that pointer when rc is set to -EMSGSIZE, leading to a kernel panic. No public exploit exists and the vulnerability is not listed in CISA KEV; however, vendor-released patches are available across multiple stable kernel branches, and Red Hat and SUSE have tagged this for attention in their ecosystems.

Technical ContextAI

The affected component is the bcm_vk misc driver (drivers/misc/bcm_vk/), which manages Broadcom Valkyrie PCIe accelerator cards under the Linux kernel. The CWE-476 (NULL Pointer Dereference) root cause lies in bcm_vk_read(): the function contains an explicit NULL check on the 'entry' pointer, indicating awareness that it can be NULL, yet the code path triggered when rc equals -EMSGSIZE unconditionally dereferences 'entry' to access entry->to_h_msg[0], entry->usr_msg_id, and entry->to_h_blks. The fix restructures this logic to copy values from a safe iterator ('iter') into temporaries before any conditional branching, eliminating the dereference of a potentially NULL pointer. The CPE string cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* covers all Linux kernel versions from the initial commit (1da177e4c3f4) up to the specific fix commits.

RemediationAI

The primary remediation is to upgrade the Linux kernel to a patched stable release: 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0. Upstream fix commits are available at https://git.kernel.org/stable/c/aa97ccc3dc1eba9f4537f0410e9dbb0b05ccf2fb (6.1.x), https://git.kernel.org/stable/c/20f2d9dbe5e972516f8f9948d7ae5b95d1ad77bd (6.6.x), https://git.kernel.org/stable/c/ba75ecb97d3f4e95d59002c13afb6519205be6cb (6.12.x), https://git.kernel.org/stable/c/ece3722169ba93734bfd1f06255e8ab7f19fe964 (6.18.x), https://git.kernel.org/stable/c/3842f93e6e29d5cc1dcb9e5bda70587b444bed69 (6.19.x), and https://git.kernel.org/stable/c/741c5a3a0cd893a4218fc0fc8c18403e54fcfb22 (7.0). As a compensating control where patching is not immediately feasible, administrators can unload or blacklist the bcm_vk kernel module ('modprobe -r bcm_vk' and adding 'blacklist bcm_vk' to /etc/modprobe.d/) if Broadcom Valkyrie hardware is not actively in use; this eliminates the attack surface entirely but also disables the associated PCIe accelerator functionality.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2025-209680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy