CVE-2025-22031

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Published Apr 16, 2025

Updated: Apr 29, 2025

CWE ID 476

Summary

CVE-2025-22031 is a Linux kernel vulnerability that involves a NULL pointer dereference in the PCIe bandwidth controller. This issue arises when the kernel runs out of bus numbers during PCI device enumeration, causing the "subordinate" pointer in the bridge's pci_dev to remain NULL. The PCIe bandwidth controller fails to check for this NULL pointer and dereferences it during probe, leading to a kernel NULL pointer dereference. To mitigate this vulnerability, the code has been modified to error out silently instead of attempting to control bandwidth for unusable devices. Users may encounter error messages indicating bridge configuration issues and unassignable bus numbers when this vulnerability is exploited.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

Linux Kernel

Affected Vendors

LINUX

Advisories, Assessments, and Mitigations

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Threats to the 2025 NATO Summit

Artificial Eyes: Generative AI in China’s Military Intelligence

GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT

Know What Matters

For Customers

For Partners