CVE-2025-21713
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's powerpc/pseries/iommu subsystem allows local attackers to cause a kernel panic (denial of service) when attempting to reuse VFIO containers across different IOMMU groups. This affects Linux systems running on PowerPC pSeries hardware with VFIO device passthrough enabled.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local attacker causes kernel panic leading to system crash and denial of service, potentially disrupting critical workloads on affected systems.
Likely Case
Accidental triggering by legitimate users or administrators attempting to reconfigure VFIO device assignments, resulting in system instability.
If Mitigated
Minimal impact if VFIO device passthrough is not used or if users avoid reusing containers across IOMMU groups.
🎯 Exploit Status
Exploitation requires local access and specific VFIO configuration knowledge; primarily a reliability issue rather than a security bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 17391cb2613b82f8c405570fea605af3255ff8d2, ac12372a13dab3f7a2762db240bd180de8ef1e5e, b853ff0b514c1df314246fcf94744005914b48cb
Vendor Advisory: https://git.kernel.org/stable/c/17391cb2613b82f8c405570fea605af3255ff8d2
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Avoid VFIO container reuse
linuxPrevent triggering the bug by not reusing VFIO containers across different IOMMU groups.
🧯 If You Can't Patch
- Restrict VFIO device passthrough to trusted administrators only
- Monitor system logs for kernel panic events related to spapr_tce_unset_window
🔍 How to Verify
Check if Vulnerable:
Check if system is PowerPC pSeries with VFIO enabled and kernel version predates fix commits.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits or is from a distribution that has backported the patches.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages containing 'spapr_tce_unset_window' or 'NULL pointer dereference' at address 0x308
SIEM Query:
kernel_panic AND (spapr_tce_unset_window OR "NULL pointer dereference")