Vulnerability Database

319,194

Total vulnerabilities in the database

CVE-2025-37949

In the Linux kernel, the following vulnerability has been resolved:

xenbus: Use kref to track req lifetime

Marek reported seeing a NULL pointer fault in the xenbus_thread callstack: BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: e030:__wake_up_common+0x4c/0x180 Call Trace: <TASK> __wake_up_common_lock+0x82/0xd0 process_msg+0x18e/0x2f0 xenbus_thread+0x165/0x1c0

process_msg+0x18e is req->cb(req). req->cb is set to xs_wake_up(), a thin wrapper around wake_up(), or xenbus_dev_queue_reply(). It seems like it was xs_wake_up() in this case.

It seems like req may have woken up the xs_wait_for_reply(), which kfree()ed the req. When xenbus_thread resumes, it faults on the zero-ed data.

Linux Device Drivers 2nd edition states: "Normally, a wake_up call can cause an immediate reschedule to happen, meaning that other processes might run before wake_up returns." ... which would match the behaviour observed.

Change to keeping two krefs on each request. One for the caller, and one for xenbus_thread. Each will kref_put() when finished, and the last will free it.

This use of kref matches the description in Documentation/core-api/kref.rst

  • Published: May 20, 2025
  • Updated: Dec 18, 2025
  • CVE: CVE-2025-37949
  • Severity: Medium
  • Exploit:

CVSS v3:

  • Severity: Medium
  • Score: 5.5
  • AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWEs:

Software From Fixed in
linux / linux_kernel 4.11 5.4.294
linux / linux_kernel 5.5 5.10.238
linux / linux_kernel 5.11 5.15.183
linux / linux_kernel 5.16 6.1.139
linux / linux_kernel 6.2 6.6.91
linux / linux_kernel 6.7 6.12.29
linux / linux_kernel 6.13 6.14.7
linux / linux_kernel 6.15-rc1 6.15-rc1.x
linux / linux_kernel 6.15-rc2 6.15-rc2.x
linux / linux_kernel 6.15-rc3 6.15-rc3.x
linux / linux_kernel 6.15-rc4 6.15-rc4.x
linux / linux_kernel 6.15-rc5 6.15-rc5.x
debian / debian_linux 11.0 11.0.x