CVE-2025-38171 – A NULL pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2025-38171?

CVE-2025-38171 has a CVSS score of 5.5 (MEDIUM). A NULL pointer dereference vulnerability in the Linux kernel's max77705 power supply driver could cause kernel panics or system crashes when device probe fails. This affects Linux systems using the max77705 power management chip. The vulnerability occurs during error handling when creating workqueues.

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's max77705 power supply driver could cause kernel panics or system crashes when device probe fails. This affects Linux systems using the max77705 power management chip. The vulnerability occurs during error handling when creating workqueues.

💻 Affected Systems

Products:

Linux kernel with max77705 power supply driver

Versions: Linux kernel versions containing the vulnerable code (specific versions not specified in CVE)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with max77705 power management hardware. Most servers and desktops are not affected.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially requiring physical reboot.

🟠

Likely Case

System instability or crash when the max77705 driver fails to initialize properly during boot or hotplug events.

🟢

If Mitigated

Minor system instability that may cause temporary service interruption but no persistent damage.

🌐 Internet-Facing: LOW - Requires local access or physical device interaction to trigger.

🏢 Internal Only: MEDIUM - Could affect system stability on devices using this specific hardware component.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires triggering the specific error condition during device probe, which typically requires physical access or hardware manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel commits 11741b8e382d34b13277497ab91123d8b0b5c2db and 7f16be2b2927fdcfe40b596b7411c46d23a82034

Vendor Advisory: https://git.kernel.org/stable/c/11741b8e382d34b13277497ab91123d8b0b5c2db

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load patched kernel.

🔧 Temporary Workarounds

Disable max77705 driver

linux

Prevent loading of the vulnerable driver module

echo 'blacklist max77705' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Avoid using systems with max77705 power management hardware
Implement monitoring for kernel panic events and system crashes

🔍 How to Verify

Check if Vulnerable:

Check if max77705 driver is loaded: lsmod | grep max77705

Check Version:

uname -r

Verify Fix Applied:

Check kernel version includes fix commits or verify driver loads without errors in dmesg

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages in /var/log/kern.log or dmesg
System crash/reboot events

Network Indicators:

None - local vulnerability only

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "NULL pointer dereference")

📊 Metadata

CVE ID: CVE-2025-38171

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.02% exploit probability (4.7th percentile)

Published: July 3, 2025

Last Updated: November 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38171, you might also want to check these: