{"id":"AZL-61688","summary":"CVE-2025-22018 affecting package kernel for versions less than 6.6.92.2-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\natm: Fix NULL pointer dereference\n\nWhen MPOA_cache_impos_rcvd() receives the msg, it can trigger\nNull Pointer Dereference Vulnerability if both entry and\nholding_time are NULL. Because there is only for the situation\nwhere entry is NULL and holding_time exists, it can be passed\nwhen both entry and holding_time are NULL. If these are NULL,\nthe entry will be passd to eg_cache_put() as parameter and\nit is referenced by entry-\u003euse code in it.\n\nkasan log:\n\n[    3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I\n[    3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n[    3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102\n[    3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n[    3.319298] RIP: 0010:eg_cache_remove_entry+0xa5/0x470\n[    3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80\n[    3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006\n[    3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e\n[    3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030\n[    3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88\n[    3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15\n[    3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068\n[    3.324185] FS:  000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000\n[    3.325042] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0\n[    3.326430] Call Trace:\n[    3.326725]  \u003cTASK\u003e\n[    3.326927]  ? die_addr+0x3c/0xa0\n[    3.327330]  ? exc_general_protection+0x161/0x2a0\n[    3.327662]  ? asm_exc_general_protection+0x26/0x30\n[    3.328214]  ? vprintk_emit+0x15e/0x420\n[    3.328543]  ? eg_cache_remove_entry+0xa5/0x470\n[    3.328910]  ? eg_cache_remove_entry+0x9a/0x470\n[    3.329294]  ? __pfx_eg_cache_remove_entry+0x10/0x10\n[    3.329664]  ? console_unlock+0x107/0x1d0\n[    3.329946]  ? __pfx_console_unlock+0x10/0x10\n[    3.330283]  ? do_syscall_64+0xa6/0x1a0\n[    3.330584]  ? entry_SYSCALL_64_after_hwframe+0x47/0x7f\n[    3.331090]  ? __pfx_prb_read_valid+0x10/0x10\n[    3.331395]  ? down_trylock+0x52/0x80\n[    3.331703]  ? vprintk_emit+0x15e/0x420\n[    3.331986]  ? __pfx_vprintk_emit+0x10/0x10\n[    3.332279]  ? down_trylock+0x52/0x80\n[    3.332527]  ? _printk+0xbf/0x100\n[    3.332762]  ? __pfx__printk+0x10/0x10\n[    3.333007]  ? _raw_write_lock_irq+0x81/0xe0\n[    3.333284]  ? __pfx__raw_write_lock_irq+0x10/0x10\n[    3.333614]  msg_from_mpoad+0x1185/0x2750\n[    3.333893]  ? __build_skb_around+0x27b/0x3a0\n[    3.334183]  ? __pfx_msg_from_mpoad+0x10/0x10\n[    3.334501]  ? __alloc_skb+0x1c0/0x310\n[    3.334809]  ? __pfx___alloc_skb+0x10/0x10\n[    3.335283]  ? _raw_spin_lock+0xe0/0xe0\n[    3.335632]  ? finish_wait+0x8d/0x1e0\n[    3.335975]  vcc_sendmsg+0x684/0xba0\n[    3.336250]  ? __pfx_vcc_sendmsg+0x10/0x10\n[    3.336587]  ? __pfx_autoremove_wake_function+0x10/0x10\n[    3.337056]  ? fdget+0x176/0x3e0\n[    3.337348]  __sys_sendto+0x4a2/0x510\n[    3.337663]  ? __pfx___sys_sendto+0x10/0x10\n[    3.337969]  ? ioctl_has_perm.constprop.0.isra.0+0x284/0x400\n[    3.338364]  ? sock_ioctl+0x1bb/0x5a0\n[    3.338653]  ? __rseq_handle_notify_resume+0x825/0xd20\n[    3.339017]  ? __pfx_sock_ioctl+0x10/0x10\n[    3.339316]  ? __pfx___rseq_handle_notify_resume+0x10/0x10\n[    3.339727]  ? selinux_file_ioctl+0xa4/0x260\n[    3.340166]  __x64_sys_sendto+0xe0/0x1c0\n[    3.340526]  ? syscall_exit_to_user_mode+0x123/0x140\n[    3.340898]  do_syscall_64+0xa6/0x1a0\n[    3.341170]  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[    3.341533] RIP: 0033:0x44a380\n[    3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00\n[    \n---truncated---","modified":"2026-04-01T05:19:54.438283Z","published":"2025-04-16T05:15:31Z","upstream":["CVE-2025-22018"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22018"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.92.2-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-61688.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}