{"id":"AZL-61700","summary":"CVE-2025-22070 affecting package kernel 6.6.126.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: fix NULL pointer dereference on mkdir\n\nWhen a 9p tree was mounted with option 'posixacl', parent directory had a\ndefault ACL set for its subdirectories, e.g.:\n\n  setfacl -m default:group:simpsons:rwx parentdir\n\nthen creating a subdirectory crashed 9p client, as v9fs_fid_add() call in\nfunction v9fs_vfs_mkdir_dotl() sets the passed 'fid' pointer to NULL\n(since dafbe689736) even though the subsequent v9fs_set_create_acl() call\nexpects a valid non-NULL 'fid' pointer:\n\n  [   37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000\n  ...\n  [   37.322338] Call Trace:\n  [   37.323043]  \u003cTASK\u003e\n  [   37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n  [   37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714)\n  [   37.325532] ? search_module_extables (kernel/module/main.c:3733)\n  [   37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet\n  [   37.328006] ? search_bpf_extables (kernel/bpf/core.c:804)\n  [   37.329142] ? exc_page_fault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538)\n  [   37.330196] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574)\n  [   37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet\n  [   37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p\n  [   37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p\n  [   37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p\n  [   37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p\n  [   37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p\n  [   37.338590] vfs_mkdir (fs/namei.c:4313)\n  [   37.339535] do_mkdirat (fs/namei.c:4336)\n  [   37.340465] __x64_sys_mkdir (fs/namei.c:4354)\n  [   37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n  [   37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFix this by simply swapping the sequence of these two calls in\nv9fs_vfs_mkdir_dotl(), i.e. calling v9fs_set_create_acl() before\nv9fs_fid_add().","modified":"2026-04-01T05:19:54.355826Z","published":"2025-04-16T15:16:01Z","upstream":["CVE-2025-22070"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22070"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"6.6.126.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-61700.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}