CVE-2025-39887

MEDIUM

Linux Kernel 6.16-6.16.7 - Null Pointer Dereference in osnoise_cpus_write

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix null-ptr-deref in bitmap_parselist() A crash was observed with the following output: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 92 Comm: osnoise_cpus Not tainted 6.17.0-rc4-00201-gd69eb204c255 #138 PREEMPT(voluntary) RIP: 0010:bitmap_parselist+0x53/0x3e0 Call Trace: <TASK> osnoise_cpus_write+0x7a/0x190 vfs_write+0xf8/0x410 ? do_sys_openat2+0x88/0xd0 ksys_write+0x60/0xd0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This issue can be reproduced by below code: fd=open("/sys/kernel/debug/tracing/osnoise/cpus", O_WRONLY); write(fd, "0-2", 0); When user pass 'count=0' to osnoise_cpus_write(), kmalloc() will return ZERO_SIZE_PTR (16) and cpulist_parse() treat it as a normal value, which trigger the null pointer dereference. Add check for the parameter 'count'.

References (2)

Core 2

Core References

Patch

https://git.kernel.org/stable/c/e33228a2cc7ff706ca88533464e8a3b525b961ed

Patch

https://git.kernel.org/stable/c/c1628c00c4351dd0727ef7f670694f68d9e663d8

Scores

CVSS v3 5.5

EPSS 0.0012

EPSS Percentile 2.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-476

Status published

Products (9)

linux/Kernel 6.16.0 - 6.16.8linux

Linux/Linux < 6.16

Linux/Linux 17f89102fe23d7389085a8820550df688f79888a - c1628c00c4351dd0727ef7f670694f68d9e663d8

Linux/Linux 17f89102fe23d7389085a8820550df688f79888a - e33228a2cc7ff706ca88533464e8a3b525b961ed

Linux/Linux 6.16

Linux/Linux 6.16.8 - 6.16.*

Linux/Linux 6.17

linux/linux_kernel 6.17 rc1 (5 CPE variants)

linux/linux_kernel 6.16 - 6.16.8

Published Sep 23, 2025

Tracked Since Feb 18, 2026