CVE-2025-22067
📋 TL;DR
This CVE describes an out-of-bounds array access vulnerability in the Linux kernel's Cadence SPI driver. When requested clock frequency exceeds 128 MHz, the driver iterates beyond array bounds, potentially causing kernel crashes or memory corruption. This affects systems using the Cadence/Marvell XSPI controller with vulnerable kernel versions.
💻 Affected Systems
- Linux kernel with Cadence/Marvell XSPI driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, denial of service, or potential privilege escalation if combined with other vulnerabilities.
Likely Case
System instability, kernel crashes, or denial of service when specific SPI clock configurations are requested.
If Mitigated
Minimal impact if systems don't use affected SPI configurations or have proper kernel hardening.
🎯 Exploit Status
Requires kernel-level access and specific SPI configuration to trigger
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commits: 645f1813fe0d, 7ba0847fa1c2, c1fb84e274cb, e50781bf7acc
Vendor Advisory: https://git.kernel.org/stable/c/645f1813fe0dc96381c36b834131e643b798fd73
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Reboot system. 3. Verify kernel version and that SPI functionality works correctly.
🔧 Temporary Workarounds
Limit SPI clock frequency
linuxConfigure SPI devices to use clock frequencies ≤128 MHz to avoid triggering the vulnerability
echo 128000000 > /sys/class/spi_master/spiX/max_speed_hz
🧯 If You Can't Patch
- Disable or avoid using Cadence/Marvell XSPI controller if possible
- Implement strict SPI device configuration management to prevent >128 MHz clock requests
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if using Cadence/Marvell XSPI driver: 'uname -r' and 'lsmod | grep spi_cadence'Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits and test SPI functionality with various clock configurations📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- UBSAN warnings about array bounds
- SPI driver error messages
Network Indicators:
- None - local kernel vulnerability
SIEM Query:
source="kernel" AND ("panic" OR "UBSAN" OR "spi_cadence")