In early 2025, Linux security researchers and Raspberry Pi users encountered an issue identified as CVE-2025-22011. This vulnerability affected the Raspberry Pi Compute Module 4 (CM4), causing crashes in the Video Processing Unit (VPU) firmware during certain power management operations. Let's break it down in simple terms, look at the technical details, and show what you need to know to stay secure.

What Happened?

When running s2idle (standby-to-idle) tests on Raspberry Pi CM4, developers observed that, upon resuming from freeze state, the VPU firmware would consistently crash. The logs looked like this:

root@raspberrypi:/sys/power# echo freeze > state
[   70.724347] xhci_suspend finished
[   70.727730] xhci_plat_suspend finished
[   70.755624] bcm2835-power bcm2835-power: Power grafx off
[   70.761127]  USB: Set power to 

[   74.653040]  USB: Failed to set power to 1 (-110)

The Root Cause

The problem came from mixed usage of two power-domain driver systems — raspberrypi-power and bcm2835-power. Both were handling the power domain for the USB xHCI controller, but doing it differently and simultaneously. This conflict confused the VPU firmware, and led to the crash after the system resumed from sleep.

Where in the Source Code?

The bug sat in the ARM Device Tree Source (DTS) definitions for the BCM2711 SoC (the chip inside RPi 4/CM4). The device tree for the USB controller let both drivers own the same power-domain. Here’s a simplified excerpt of what might go wrong:

usb@7e980000 {
    compatible = "generic-xhci";
    power-domains = <&vpu_power>;
    // ...
}

On certain kernels, the overlay could lead to two power domain drivers active at once.

How Was CVE-2025-22011 Fixed?

Developers fixed this by excluding the VPU firmware power-domain driver on the xHCI device nodes in the device tree. Now, only one power domain driver is engaged—avoiding the crash.

The patch:
From the original commit you’ll see:

- power-domains = <&vpu_power>;
+ // Removed to avoid mixed usage

Or, in full context, you might see

// Before (problematic)
usb@7e980000 {
    compatible = "generic-xhci";
    power-domains = <&vpu_power>;
    // ...
}

// After (fixed)
usb@7e980000 {
    compatible = "generic-xhci";
    // power-domains removed to avoid firmware crash
    // ...
}

Is There an Exploit?

Short answer: There isn’t a remote exploit!
BUT, this bug could allow local users, or scripts triggering s2idle, to crash your system’s USB subsystem or even lock up your Raspberry Pi CM4. If you’re running critical applications (surveillance, kiosks, robots, etc.), you don’t want power events to bring everything down.

How Do I Patch My System?

- Update your Linux kernel: The fix is in all recent mainline kernels (Linux 6.7+ and modern RPi kernels).

sudo apt update && sudo apt full-upgrade

`
- Double-check your overlays: If you’re customizing device trees or overlays, make sure not to add conflicting power-domain properties.

---

## References and Further Reading

- Linux Kernel Commit with fix
- Raspberry Pi Forums Discussion
- Upstream CVE entry @ Mitre

---

## Wrapping Up

CVE-2025-22011 wasn’t your typical “remote hack” bug, but rather an annoying system stability flaw for Raspberry Pi CM4 users who used advanced power management. The community worked fast to fix it, so just make sure you’re up-to-date if your Pi enters sleep frequently.

Stay patched, and your Pi will stay healthy!

---

*Written exclusively for you. Share and stay secure!*

Timeline

Published on: 04/08/2025 09:15:25 UTC
Last modified on: 04/10/2025 13:10:41 UTC