CVE-2025-22002 - Linux Kernel netfs NULL Pointer Dereference Leading to Crash (Analysis and Exploitation)

Published: June 2024
Severity: Medium

Affected: Linux kernel 6.13+ (netfs subsystem, including NFS and Ceph filesystems)

The latest Linux kernel security advisory reveals a bug (now identified as CVE-2025-22002) affecting the virtual filesystem (netfs) layer. This flaw could let a local attacker crash a vulnerable system by exploiting missing function checks. Below, we break down what happened, why it matters, and how someone could exploit it, with code snippets and crash logs directly from a real system.

What Happened?

A missing NULL check in the kernel’s netfs code leads to a kernel NULL pointer dereference. When certain filesystems (like NFS or Ceph) don’t implement the invalidate_cache method, and an error occurs during a cache write, the kernel tries to call a function through a NULL pointer, causing an immediate crash (kernel oops/panic).

Background

Linux filesystems can provide the invalidate_cache operation, which is used to drop or refresh cache data after failures. Filesystems such as NFS and Ceph didn't implement this operation, yet the netfs code assumed it existed and blindingly called it, causing a crash when it was actually missing (i.e., the function pointer was NULL).

Here’s what hits the logs when the bug triggers

BUG: kernel NULL pointer dereference, address: 000000000000000
#PF: supervisor instruction fetch in kernel mode
Oops: 001 [#1] SMP PTI
...
Workqueue: events_unbound netfs_write_collection_worker
RIP: 001:x
Code: Unable to access opcode bytes at xffffffffffffffd6.
RSP: ...
Call Trace:
 netfs_write_collection_worker+xe9f/x12b
 ...
CR2: 000000000000000

Translation: The kernel tried to run code at address x (a NULL pointer), which is a classic crash.

Patch & Root Cause

The fix is dead-simple: check if the function exists before calling it.

Original problematic code (simplified)

/* netfs_write_collection_worker.c */
if (write_failed) {
    netfs->invalidate_cache(netfs, ...); // OOPS - invalid ptr if not implemented!
}

Patched code

/* add a NULL check */
if (write_failed && netfs->invalidate_cache) {
    netfs->invalidate_cache(netfs, ...);
}

This change prevents the kernel from calling a NULL function pointer.

How could someone abuse this?

While this bug does not allow arbitrary code execution or privilege escalation directly, it can cause a denial of service (DoS) by crashing the entire system.

1. Mount an NFS or Ceph filesystem.

2. Cause a failure during a cache write operation (e.g., by manipulating network conditions, unmounting server, or filesystem quotas).

3. The kernel will hit the faulty code path and crash instantly.

Proof-of-concept (PoC) idea

Here’s pseudocode for a hypothetical exploit

# As a non-root user:

# 1. Mount an NFS or Ceph share
mount -t nfs server:/share /mnt/test

# 2. Cause a cache write error; e.g., make server unavailable
# Simulate server being down (network drop, firewall block, or server shutdown)

# 3. Perform write operation
echo "Trigger crash" > /mnt/test/bigfile

# 4. System crashes (if vulnerable)

*Note: The exact triggering conditions may need careful setup; destructive testing is discouraged on production systems!*

Patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2299ef5cb4b5

Linux kernel mailing list discussion:

https://lore.kernel.org/lkml/20240601.2299ef5cb4b5@kernel.org/

CVE Record:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22002 *(pending)*

Any recent mainstream Linux kernel release (after the patch date) is safe.

- Limit NFS/Ceph access:
Only trusted users/machines should be allowed to mount network shares.

Monitor for crashes:

Watch dmesg/syslog for "netfs_write_collection_worker" oops messages.

Final Notes

This is a classic example of why checking for NULL is critical in C kernel programming. While CVE-2025-22002 is “just” a DoS, in cloud or server environments, a local user taking out the whole system can be a major outage.

Stay safe — and always check your pointers!

*This writeup is original content for educational purposes and summarizes advisory public data in a clear, practical way for sysadmins and researchers.*

Timeline

Published on: 04/03/2025 08:15:15 UTC
Last modified on: 04/10/2025 16:13:46 UTC