Description
In the Linux kernel, the following vulnerability has been resolved:

PCI: endpoint: Avoid creating sub-groups asynchronously

The asynchronous creation of sub-groups by a delayed work could lead to a
NULL pointer dereference when the driver directory is removed before the
work completes.

The crash can be easily reproduced with the following commands:

# cd /sys/kernel/config/pci_ep/functions/pci_epf_test
# for i in {1..20}; do mkdir test && rmdir test; done

BUG: kernel NULL pointer dereference, address: 0000000000000088
...
Call Trace:
configfs_register_group+0x3d/0x190
pci_epf_cfs_work+0x41/0x110
process_one_work+0x18f/0x350
worker_thread+0x25a/0x3a0

Fix this issue by using configfs_add_default_group() API which does not
have the deadlock problem as configfs_register_group() and does not require
the delayed work handler.

[mani: slightly reworded the description and added stable list]
Published: 2026-02-18
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: NULL pointer dereference that causes kernel crash
Action: Update Kernel
AI Analysis

Impact

The vulnerability arises when the PCI endpoint driver creates sub‑groups asynchronously using a delayed work handler. If the driver directory is removed before the work executes, the handler dereferences a NULL pointer, causing a kernel crash. The crash manifests as a fault in configfs_register_group and a resulting kernel panic. This leads to a denial of service by bringing the affected system down to a non‑functional state. The weakness is a classic Defective Null Pointer Dereference (CWE‑476).

Affected Systems

All versions of the Linux kernel that have not yet incorporated the fix are affected. The precise kernel release numbers are not specified in the advisory, so any kernel prior to the inclusion of configfs_add_default_group() is considered vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, and an EPSS score of less than 1% shows a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local: an attacker or a process with write access to configfs can repeatedly create and remove directories under /sys/kernel/config/pci_ep/functions without requiring privileged escalation, triggering the crash. Exploitation requires only the ability to execute the faulty work, which is present in the kernel’s configuration.

Generated by OpenCVE AI on April 20, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the configfs_add_default_group fix
  • If the kernel cannot be updated immediately, avoid performing rapid create and delete operations on PCI endpoint configuration directories in /sys/kernel/config/pci_ep/functions
  • Monitor kernel logs for null pointer dereferences or kernel panics and investigate promptly

Generated by OpenCVE AI on April 20, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4499-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6141-1 linux security update
Debian DSA Debian DSA DSA-6163-1 linux security update
History

Wed, 18 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 23 Feb 2026 03:30:00 +0000

Type Values Removed Values Added
References

Thu, 19 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
References

Thu, 19 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 18 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Avoid creating sub-groups asynchronously The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes. The crash can be easily reproduced with the following commands: # cd /sys/kernel/config/pci_ep/functions/pci_epf_test # for i in {1..20}; do mkdir test && rmdir test; done BUG: kernel NULL pointer dereference, address: 0000000000000088 ... Call Trace: configfs_register_group+0x3d/0x190 pci_epf_cfs_work+0x41/0x110 process_one_work+0x18f/0x350 worker_thread+0x25a/0x3a0 Fix this issue by using configfs_add_default_group() API which does not have the deadlock problem as configfs_register_group() and does not require the delayed work handler. [mani: slightly reworded the description and added stable list]
Title PCI: endpoint: Avoid creating sub-groups asynchronously
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T21:56:54.929Z

Reserved: 2026-02-18T14:25:13.845Z

Link: CVE-2025-71233

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T16:22:30.080

Modified: 2026-03-18T17:14:10.280

Link: CVE-2025-71233

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-18T00:00:00Z

Links: CVE-2025-71233 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses