CVE-2025-38049
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's x86 resctrl subsystem occurs when creating new control groups on platforms without cache occupancy monitors. This causes a kernel panic or system crash, affecting Linux systems running vulnerable kernel versions on x86 architectures without hardware monitoring counters.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to complete system crash and denial of service, potentially causing data loss or corruption if the system is performing critical operations.
Likely Case
System crash when attempting to create new resctrl control groups, resulting in denial of service for affected systems.
If Mitigated
No impact if the system doesn't use resctrl features or has been patched.
🎯 Exploit Status
Exploitation requires local access and ability to create resctrl control groups. The vulnerability triggers reliably when conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 93a418fc61da13d1ee4047d4d1327990f7a2816a, a121798ae669351ec0697c94f71c3a692b2a755b, a8a1bcc27d4607227088d80483164289b5348293, ed5addb55e403ad6598102bcf546e068ae01fef6
Vendor Advisory: https://git.kernel.org/stable/c/93a418fc61da13d1ee4047d4d1327990f7a2816a
Restart Required: Yes
Instructions:
1. Update to a kernel version containing the fix commits. 2. Check your distribution's security advisories for backported patches. 3. Reboot the system after kernel update.
🔧 Temporary Workarounds
Disable resctrl subsystem
linuxPrevent use of the resctrl subsystem to avoid triggering the vulnerability
echo 'blacklist resctrl' > /etc/modprobe.d/resctrl-blacklist.conf
update-initramfs -u
reboot
Restrict resctrl access
linuxLimit which users can access resctrl control groups
chmod 700 /sys/fs/resctrl
setfacl -m u:root:rwx /sys/fs/resctrl
🧯 If You Can't Patch
- Avoid creating new resctrl control groups on affected systems
- Implement strict access controls to prevent unauthorized users from accessing resctrl functionality
🔍 How to Verify
Check if Vulnerable:
Check if system has hardware cache occupancy monitors: grep -q llc_occupancy /proc/cpuinfo && echo 'Has monitors' || echo 'No monitors - potentially vulnerable'Check Version:
uname -rVerify Fix Applied:
Check kernel version includes fix commits: uname -r and verify with distribution's security advisory📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- NULL pointer dereference errors mentioning resctrl or CLOSID
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kern.log" AND ("NULL pointer dereference" OR "kernel panic" OR "resctrl" OR "CLOSID")