CVE-2025-39865

5.5 MEDIUM

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's TEE (Trusted Execution Environment) subsystem allows local attackers to cause a kernel panic and system crash. This affects systems using the TEE subsystem, particularly those with OP-TEE implementations. The vulnerability requires local access to trigger.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions not explicitly stated in CVE, but patches available for multiple stable branches

Operating Systems: Linux distributions using vulnerable kernel versions with TEE subsystem enabled

Default Config Vulnerable: ✅ No

Notes: Only affects systems with TEE subsystem enabled and OP-TEE implementation. Many standard configurations may not have this enabled.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local denial of service causing kernel panic and system crash, potentially leading to data loss or service disruption.

🟠

Likely Case

Local denial of service through kernel panic triggered by a malicious user or process with access to TEE functionality.

🟢

If Mitigated

Minimal impact if proper access controls restrict local user privileges and TEE subsystem usage.

🌐 Internet-Facing: LOW - Requires local access to trigger, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local users or processes with TEE access can cause system crashes, affecting availability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to trigger TEE operations. The crash occurs during system shutdown sequence.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple stable kernel versions with commits: 25e315bc8ad363bd1194e49062f183ad4011957e, 4377eac565c297fdfccd2f8e9bf94ee84ff6172f, 5e07a4235bb85d9ef664411e4ff4ac34783c18ff, 963fca19fe34c496e04f7dd133b807b76a5434ca, add1ecc8f3ad8df22e3599c5c88d7907cc2a3079

Vendor Advisory: https://git.kernel.org/stable/c/25e315bc8ad363bd1194e49062f183ad4011957e

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution. 2. Check if TEE subsystem is enabled in your kernel configuration. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Disable TEE subsystem

Linux

Disable the TEE subsystem if not required for your use case

Check if TEE is enabled: grep CONFIG_TEE /boot/config-$(uname -r)
To disable: Recompile kernel without CONFIG_TEE=y

🧯 If You Can't Patch

Restrict local user access to systems using TEE functionality
Implement strict access controls and monitoring for TEE-related operations

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if TEE subsystem is enabled: uname -r && grep CONFIG_TEE /boot/config-$(uname -r)

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated to patched version and check commit history includes the fix commits

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs mentioning tee_shm_put
System crash during shutdown with TEE-related stack traces
OOM or system instability around TEE operations

Network Indicators:

No network indicators - local vulnerability only

SIEM Query:

Search for kernel panic events with 'tee_shm_put' or 'TEE' in stack traces

📊 Metadata

CVE ID: CVE-2025-39865

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.02% exploit probability (5.1th percentile)

Published: September 19, 2025

Last Updated: January 20, 2026

🔗 References

https://git.kernel.org/stable/c/25e315bc8ad363bd1194e49062f183ad4011957e Patch
https://git.kernel.org/stable/c/4377eac565c297fdfccd2f8e9bf94ee84ff6172f Patch
https://git.kernel.org/stable/c/5e07a4235bb85d9ef664411e4ff4ac34783c18ff Patch
https://git.kernel.org/stable/c/963fca19fe34c496e04f7dd133b807b76a5434ca Patch
https://git.kernel.org/stable/c/add1ecc8f3ad8df22e3599c5c88d7907cc2a3079 Patch
https://git.kernel.org/stable/c/e4a718a3a47e89805c3be9d46a84de1949a98d5d Patch
https://git.kernel.org/stable/c/f266188603c34e6e234fb0dfc3185f0ba98d71b7 Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory,Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory,Mailing List