CVE-2025-22069
📋 TL;DR
A stack layout mismatch in the RISC-V architecture's ftrace implementation in the Linux kernel causes a kernel warning and potential instability when ftrace return probes are enabled. This affects Linux systems running on RISC-V hardware with ftrace tracing enabled. The vulnerability could lead to kernel crashes or instability.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic or system crash leading to denial of service, potentially requiring physical access to restore functionality.
Likely Case
Kernel warnings and system instability when ftrace return probes are enabled, possibly causing application crashes or system hangs.
If Mitigated
No impact if ftrace return probes are disabled or the system is not using RISC-V architecture.
🎯 Exploit Status
The reproduction steps are documented in the CVE description and require local shell access with ability to write to debugfs and enable ftrace probes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in kernel commits 67a5ba8f742f247bc83e46dd2313c142b1383276 and 78b39c587b8f6c69140177108f9c08a75b1c7c37
Vendor Advisory: https://git.kernel.org/stable/c/67a5ba8f742f247bc83e46dd2313c142b1383276
Restart Required: Yes
Instructions:
1. Update to a kernel version containing the fix. 2. Check with your Linux distribution for backported patches. 3. Reboot the system after kernel update.
🔧 Temporary Workarounds
Disable ftrace return probes
linuxPrevent triggering the vulnerability by disabling ftrace return probes
echo 0 > /sys/kernel/debug/tracing/events/fprobes/enable
echo 0 > /sys/kernel/debug/tracing/tracing_on
🧯 If You Can't Patch
- Disable ftrace functionality entirely by mounting debugfs with noexec or restricting access
- Restrict user access to debugfs and prevent non-privileged users from enabling tracing features
🔍 How to Verify
Check if Vulnerable:
Check if running on RISC-V architecture with 'uname -m' showing 'riscv' and check if ftrace return probes can be enabledCheck Version:
uname -rVerify Fix Applied:
Check kernel version includes the fix commits or test the reproduction steps from CVE description📡 Detection & Monitoring
Log Indicators:
- Kernel warnings containing 'Bad frame pointer' or 'ftrace_return_to_handler' errors in dmesg or system logs
Network Indicators:
- None - this is a local kernel issue
SIEM Query:
search for 'Bad frame pointer' OR 'ftrace_return_to_handler' in kernel logs