{"uuid": "2c2bac23-cdd9-4896-a5dc-e7183bb25572", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-37824", "type": "seen", "source": "https://t.me/cvedetector/24800", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2025-37824 - Linux Kernel Tipc NULL Pointer Dereference Vulnerability\", \n \"Content\": \"CVE ID : CVE-2025-37824 \nPublished : May 8, 2025, 7:15 a.m. | 2\u00a0hours, 2\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \ntipc: fix NULL pointer dereference in tipc_mon_reinit_self() \n \nsyzbot reported: \n \ntipc: Node number set to 1055423674 \nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI \nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] \nCPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full) \nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 \nWorkqueue: events tipc_net_finalize_work \nRIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 \n... \nRSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 \nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba \nRDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 \nRBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 \nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 \nR13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 \nFS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 \nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 \nCR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 \nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 \nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 \nCall Trace: \n \n tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140 \n process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 \n process_scheduled_works kernel/workqueue.c:3319 [inline] \n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 \n kthread+0x3c2/0x780 kernel/kthread.c:464 \n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 \n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 \n \n... \nRIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 \n... \nRSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 \nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba \nRDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 \nRBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 \nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 \nR13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 \nFS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 \nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 \nCR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 \nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 \nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 \n \nThere is a racing condition between workqueue created when enabling \nbearer and another thread created when disabling bearer right after \nthat as follow: \n \nenabling_bearer | disabling_bearer \n--------------- | ---------------- \ntipc_disc_timeout() | \n{ | bearer_disable() \n ... | { \n schedule_work(&tn->work); | tipc_mon_delete() \n ... | { \n} | ... \n | write_lock_bh(&mon->lock); \n | mon->self = NULL; \n | write_unlock_bh(&mon->lock); \n | ... \n | } \ntipc_net_finalize_work() | } \n{ | \n ... | \n tipc_net_finalize() | \n { | \n ... [...]", "creation_timestamp": "2025-05-08T11:44:58.000000Z"}