CVE-2025-37829 – A NULL pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2025-37829?

CVE-2025-37829 has a CVSS score of 5.5 (MEDIUM). A NULL pointer dereference vulnerability in the Linux kernel's SCPI cpufreq driver allows local attackers to crash the system by triggering a kernel panic. This affects Linux systems using the SCPI cpufreq driver, particularly ARM-based systems with specific CPU frequency scaling implementations.

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's SCPI cpufreq driver allows local attackers to crash the system by triggering a kernel panic. This affects Linux systems using the SCPI cpufreq driver, particularly ARM-based systems with specific CPU frequency scaling implementations.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions with the vulnerable scpi_cpufreq driver (specific version range not specified in CVE, but patches exist for stable branches)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the SCPI cpufreq driver, typically ARM-based systems. Requires local access to trigger.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local denial of service causing kernel panic and system crash, potentially leading to data loss or service disruption.

🟠

Likely Case

Local denial of service through system crash when malicious users trigger the vulnerable code path.

🟢

If Mitigated

Minimal impact with proper access controls preventing local users from executing the vulnerable code path.

🌐 Internet-Facing: LOW - Requires local access to exploit, not remotely exploitable.

🏢 Internal Only: MEDIUM - Local users or processes could trigger the vulnerability, potentially causing system instability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to trigger the specific cpufreq operation. Exploitation requires understanding of system's CPU configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel branches (commits: 124bddf123311cd1f18bffd63a5d974468d59c67, 19e0eaa62e8831f2bc0285fef3bf8faaa7f3e09b, 28fbd7b13b4d3074b16db913aedc9d8d37ab41e7, 73b24dc731731edf762f9454552cb3a5b7224949, 8fbaa76690f67a7cbad315f89d607b46e3e06ede)

Vendor Advisory: https://git.kernel.org/stable/c/124bddf123311cd1f18bffd63a5d974468d59c67

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version. 2. Reboot system. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable SCPI cpufreq driver

linux

Remove or blacklist the scpi-cpufreq module to prevent loading of vulnerable driver

echo 'blacklist scpi-cpufreq' >> /etc/modprobe.d/blacklist-scpi.conf
rmmod scpi-cpufreq

🧯 If You Can't Patch

Restrict local user access to prevent exploitation
Implement strict process isolation and privilege separation

🔍 How to Verify

Check if Vulnerable:

Check if scpi-cpufreq module is loaded: lsmod | grep scpi_cpufreq

Check Version:

uname -r

Verify Fix Applied:

Check kernel version against patched versions and verify scpi-cpufreq module loads without errors

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
NULL pointer dereference errors in kernel logs
System crash/reboot events

Network Indicators:

None - local vulnerability only

SIEM Query:

source="kernel" AND ("NULL pointer dereference" OR "scpi_cpufreq" OR "kernel panic")

📊 Metadata

CVE ID: CVE-2025-37829

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.03% exploit probability (6.2th percentile)

Published: May 8, 2025

Last Updated: November 12, 2025

🔗 References

https://git.kernel.org/stable/c/124bddf123311cd1f18bffd63a5d974468d59c67 Patch
https://git.kernel.org/stable/c/19e0eaa62e8831f2bc0285fef3bf8faaa7f3e09b Patch
https://git.kernel.org/stable/c/28fbd7b13b4d3074b16db913aedc9d8d37ab41e7 Patch
https://git.kernel.org/stable/c/73b24dc731731edf762f9454552cb3a5b7224949 Patch
https://git.kernel.org/stable/c/8fbaa76690f67a7cbad315f89d607b46e3e06ede Patch
https://git.kernel.org/stable/c/ad4796f2da495b2cbbd0fccccbcbf63f2aeee613 Patch
https://git.kernel.org/stable/c/da8ee91e532486055ecf88478d38c2f3dc234182 Patch
https://git.kernel.org/stable/c/fdf035d9c5436536ffcfea0ac6adeb5dda3c3a23 Patch
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-37829, you might also want to check these: