CVE-2025-38610 – A NULL pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2025-38610?

CVE-2025-38610 has a CVSS score of 5.5 (MEDIUM). A NULL pointer dereference vulnerability in the Linux kernel's powercap subsystem allows local attackers to crash the kernel when a CPU becomes unavailable during runtime. This affects systems running vulnerable Linux kernel versions with power management features enabled. The vulnerability requires local access to trigger.

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's powercap subsystem allows local attackers to crash the kernel when a CPU becomes unavailable during runtime. This affects systems running vulnerable Linux kernel versions with power management features enabled. The vulnerability requires local access to trigger.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific vulnerable versions not explicitly stated in CVE, but patches available in stable kernel trees

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires power management features (powercap subsystem) to be enabled and active CPU hot-unplug events.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.

🟠

Likely Case

System crash or kernel panic when specific power management operations occur on systems with CPU hot-unplug events.

🟢

If Mitigated

Minor performance impact from power management operations failing gracefully instead of crashing.

🌐 Internet-Facing: LOW - Requires local access to trigger, cannot be exploited remotely.

🏢 Internal Only: MEDIUM - Local users or processes could crash the system, affecting availability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to trigger CPU hot-unplug events or power management operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees (commits listed in references)

Vendor Advisory: https://git.kernel.org/stable/c/27914f2b795e2b58e9506f281dcdd98fef09d3c2

Restart Required: No

Instructions:

1. Update to a patched kernel version from your distribution's repositories. 2. Apply the specific kernel patch if building from source. 3. Reboot to load the new kernel.

🔧 Temporary Workarounds

Disable CPU hot-unplug

all

Prevent CPUs from being removed during runtime to avoid triggering the vulnerability

echo 0 > /sys/devices/system/cpu/cpuX/online (for specific CPUs)
Set kernel boot parameter 'maxcpus' to fixed value

Disable powercap subsystem

all

Remove the vulnerable component if not needed

modprobe -r powercap
Add 'powercap.blacklist=1' to kernel parameters

🧯 If You Can't Patch

Restrict local user access to systems with vulnerable kernels
Monitor for kernel panic events and implement high availability solutions

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if powercap subsystem is loaded: lsmod | grep powercap && uname -r

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated and check for presence of the fix in kernel source or changelog

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
NULL pointer dereference errors in kernel logs
CPU hot-unplug events followed by crashes

Network Indicators:

None - local vulnerability only

SIEM Query:

source="kernel" AND ("NULL pointer dereference" OR "kernel panic") AND process="get_pd_power_uw"

📊 Metadata

CVE ID: CVE-2025-38610

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.02% exploit probability (2.6th percentile)

Published: August 19, 2025

Last Updated: January 7, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38610, you might also want to check these: