CVE-2025-38559
📋 TL;DR
This CVE describes a NULL pointer dereference vulnerability in the Linux kernel's Intel Platform Monitoring Technology (PMT) driver. When accessing crashlog data through binary sysfs, the driver fails to properly handle missing endpoint data, causing a kernel panic. This affects Linux systems with Intel PMT hardware support.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.
Likely Case
System crash when specific crashlog sysfs operations are performed, requiring reboot to restore functionality.
If Mitigated
No impact if the vulnerable code path isn't triggered or if proper access controls prevent user access to sysfs interfaces.
🎯 Exploit Status
Requires local access and ability to read specific sysfs binary files. Not remotely exploitable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple stable kernel versions with commit hashes: 089d05266b2c, 18d53b543b54, 54d5cd4719c5, 860d93bd6a21
Vendor Advisory: https://git.kernel.org/stable/c/089d05266b2caf020ac2ae2cd2be78f580268f5d
Restart Required: No
Instructions:
1. Update Linux kernel to patched version. 2. For custom kernels, apply the fix from provided git commits. 3. No kernel module reload required for live systems.
🔧 Temporary Workarounds
Disable PMT crashlog access
allPrevent users from accessing the vulnerable sysfs interface
chmod 000 /sys/class/pmt/pmt_crashlog*
echo 'install pmt_class /bin/false' >> /etc/modprobe.d/disable-pmt.conf
🧯 If You Can't Patch
- Restrict access to /sys/class/pmt/pmt_crashlog* files to root only
- Unload pmt_class module if not required: rmmod pmt_class
🔍 How to Verify
Check if Vulnerable:
Check if pmt_class module is loaded: lsmod | grep pmt_class. Check if /sys/class/pmt/pmt_crashlog* files exist.Check Version:
uname -rVerify Fix Applied:
Check kernel version against patched versions. Verify git commit contains the fix by checking kernel source.📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs with 'NULL pointer dereference' in intel_pmt_read function
- Oops messages referencing pmt_class
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND "NULL pointer dereference" AND "intel_pmt_read" OR "pmt_class"