CVE-2025-39902 – A NULL pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2025-39902?

CVE-2025-39902 has a CVSS score of 5.5 (MEDIUM). A NULL pointer dereference vulnerability in the Linux kernel's SLUB memory allocator can cause kernel crashes when debugging code attempts to access invalid object metadata. This affects Linux systems with kernel versions containing the vulnerable object_err() function. The vulnerability requires local access to trigger.

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's SLUB memory allocator can cause kernel crashes when debugging code attempts to access invalid object metadata. This affects Linux systems with kernel versions containing the vulnerable object_err() function. The vulnerability requires local access to trigger.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions containing the vulnerable object_err() function prior to fixes in stable branches

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires SLUB allocator debugging features; vulnerability triggers during memory corruption detection.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.

🟠

Likely Case

Local denial of service through kernel crash when specific memory corruption conditions are met.

🟢

If Mitigated

Minimal impact as the vulnerability requires local access and specific memory corruption conditions.

🌐 Internet-Facing: LOW - Requires local access to trigger, not remotely exploitable.

🏢 Internal Only: MEDIUM - Local users or processes could cause system crashes, but requires specific memory corruption conditions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH - Requires inducing specific memory corruption conditions to trigger the vulnerable code path.

Exploitation requires local access and ability to trigger memory corruption that reaches object_err() with invalid pointers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in stable kernel commits referenced in CVE description

Vendor Advisory: https://git.kernel.org/stable/c/0ef7058b4dc6fcef622ac23b45225db57f17b83f

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing fixes from stable branches. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable SLUB debugging

linux

Disable SLUB allocator debugging features to avoid the vulnerable code path

echo 0 > /sys/kernel/slab/*/debug
echo 0 > /sys/kernel/slab/*/red_zone
echo 0 > /sys/kernel/slab/*/poison

🧯 If You Can't Patch

Restrict local user access to minimize attack surface
Implement kernel crash monitoring and automated recovery mechanisms

🔍 How to Verify

Check if Vulnerable:

Check kernel version and compare with patched versions in stable branches

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version matches or exceeds patched versions from stable branches

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
SLUB debugging error messages
System crash/reboot events

Network Indicators:

None - local vulnerability only

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "SLUB" OR "object_err")

📊 Metadata

CVE ID: CVE-2025-39902

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.02% exploit probability (5.1th percentile)

Published: October 1, 2025

Last Updated: January 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-39902, you might also want to check these: