{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22031", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.808Z", "datePublished": "2025-04-16T14:11:51.264Z", "dateUpdated": "2025-04-16T14:11:51.264Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-04-16T14:11:51.264Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion\n\nWhen BIOS neglects to assign bus numbers to PCI bridges, the kernel\nattempts to correct that during PCI device enumeration. If it runs out\nof bus numbers, no pci_bus is allocated and the \"subordinate\" pointer in\nthe bridge's pci_dev remains NULL.\n\nThe PCIe bandwidth controller erroneously does not check for a NULL\nsubordinate pointer and dereferences it on probe.\n\nBandwidth control of unusable devices below the bridge is of questionable\nutility, so simply error out instead. This mirrors what PCIe hotplug does\nsince commit 62e4492c3063 (\"PCI: Prevent NULL dereference during pciehp\nprobe\").\n\nThe PCI core emits a message with KERN_INFO severity if it has run out of\nbus numbers. PCIe hotplug emits an additional message with KERN_ERR\nseverity to inform the user that hotplug functionality is disabled at the\nbridge. A similar message for bandwidth control does not seem merited,\ngiven that its only purpose so far is to expose an up-to-date link speed\nin sysfs and throttle the link speed on certain laptops with limited\nThermal Design Power. So error out silently.\n\nUser-visible messages:\n\n pci 0000:16:02.0: bridge configuration invalid ([bus 00-00]), reconfiguring\n [...]\n pci_bus 0000:45: busn_res: [bus 45-74] end is updated to 74\n pci 0000:16:02.0: devices behind bridge are unusable because [bus 45-74] cannot be assigned for them\n [...]\n pcieport 0000:16:02.0: pciehp: Hotplug bridge without secondary bus, ignoring\n [...]\n BUG: kernel NULL pointer dereference\n RIP: pcie_update_link_speed\n pcie_bwnotif_enable\n pcie_bwnotif_probe\n pcie_port_probe_service\n really_probe"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/pci/pcie/bwctrl.c"], "versions": [{"version": "665745f274870c921020f610e2c99a3b1613519b", "lessThan": "d93d309013e89631630a12b1770d27e4be78362a", "status": "affected", "versionType": "git"}, {"version": "665745f274870c921020f610e2c99a3b1613519b", "lessThan": "1181924af78e5299ddec6e457789c02dd5966559", "status": "affected", "versionType": "git"}, {"version": "665745f274870c921020f610e2c99a3b1613519b", "lessThan": "667f053b05f00a007738cd7ed6fa1901de19dc7e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/pci/pcie/bwctrl.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.11", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.2", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/d93d309013e89631630a12b1770d27e4be78362a"}, {"url": "https://git.kernel.org/stable/c/1181924af78e5299ddec6e457789c02dd5966559"}, {"url": "https://git.kernel.org/stable/c/667f053b05f00a007738cd7ed6fa1901de19dc7e"}], "title": "PCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion", "x_generator": {"engine": "bippy-7c5fe7eed585"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion\n\nWhen BIOS neglects to assign bus numbers to PCI bridges, the kernel\nattempts to correct that during PCI device enumeration. If it runs out\nof bus numbers, no pci_bus is allocated and the \"subordinate\" pointer in\nthe bridge's pci_dev remains NULL.\n\nThe PCIe bandwidth controller erroneously does not check for a NULL\nsubordinate pointer and dereferences it on probe.\n\nBandwidth control of unusable devices below the bridge is of questionable\nutility, so simply error out instead. This mirrors what PCIe hotplug does\nsince commit 62e4492c3063 (\"PCI: Prevent NULL dereference during pciehp\nprobe\").\n\nThe PCI core emits a message with KERN_INFO severity if it has run out of\nbus numbers. PCIe hotplug emits an additional message with KERN_ERR\nseverity to inform the user that hotplug functionality is disabled at the\nbridge. A similar message for bandwidth control does not seem merited,\ngiven that its only purpose so far is to expose an up-to-date link speed\nin sysfs and throttle the link speed on certain laptops with limited\nThermal Design Power. So error out silently.\n\nUser-visible messages:\n\n pci 0000:16:02.0: bridge configuration invalid ([bus 00-00]), reconfiguring\n [...]\n pci_bus 0000:45: busn_res: [bus 45-74] end is updated to 74\n pci 0000:16:02.0: devices behind bridge are unusable because [bus 45-74] cannot be assigned for them\n [...]\n pcieport 0000:16:02.0: pciehp: Hotplug bridge without secondary bus, ignoring\n [...]\n BUG: kernel NULL pointer dereference\n RIP: pcie_update_link_speed\n pcie_bwnotif_enable\n pcie_bwnotif_probe\n pcie_port_probe_service\n really_probe"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: PCI/bwctrl: Correcci\u00f3n de la desreferencia de puntero nulo al agotar el n\u00famero de bus. Cuando la BIOS no asigna n\u00fameros de bus a los puentes PCI, el kernel intenta corregirlo durante la enumeraci\u00f3n de dispositivos PCI. Si se agotan los n\u00fameros de bus, no se asigna ning\u00fan pci_bus y el puntero \"subordinado\" en el pci_dev del puente permanece nulo. El controlador de ancho de banda PCIe no busca err\u00f3neamente un puntero subordinado nulo y lo desreferencia al sondear. El control del ancho de banda de los dispositivos inutilizables debajo del puente es de dudosa utilidad, por lo que simplemente se genera un error. Esto refleja lo que hace PCIe hotplug desde el commit 62e4492c3063 (\"PCI: Evitar la desreferencia de puntero nulo durante el sondeo pciehp\"). El n\u00facleo PCI emite un mensaje con severidad KERN_INFO si se agotan los n\u00fameros de bus. PCIe hotplug emite un mensaje adicional con severidad KERN_ERR para informar al usuario que la funci\u00f3n hotplug est\u00e1 deshabilitada en el puente. Un mensaje similar para el control del ancho de banda no parece justificado, dado que su \u00fanico prop\u00f3sito hasta ahora es mostrar una velocidad de enlace actualizada en sysfs y limitarla en ciertas computadoras port\u00e1tiles con potencia de dise\u00f1o t\u00e9rmico limitada. Por lo tanto, el error se emite silenciosamente. Mensajes visibles para el usuario: pci 0000:16:02.0: configuraci\u00f3n de puente no v\u00e1lida ([bus 00-00]), reconfigurando [...] pci_bus 0000:45: busn_res: el extremo [bus 45-74] se actualiza a 74 pci 0000:16:02.0: los dispositivos detr\u00e1s del puente no se pueden usar porque no se puede asignar [bus 45-74] para ellos [...] pcieport 0000:16:02.0: pciehp: Puente hot-plug sin bus secundario, ignorando [...] ERROR: desreferencia de puntero NULL del kernel RIP: pcie_update_link_speed pcie_bwnotif_enable pcie_bwnotif_probe pcie_port_probe_service really_probe"}], "id": "CVE-2025-22031", "lastModified": "2025-04-29T18:57:00.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-16T15:15:55.710", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1181924af78e5299ddec6e457789c02dd5966559"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/667f053b05f00a007738cd7ed6fa1901de19dc7e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d93d309013e89631630a12b1770d27e4be78362a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: PCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion", "id": "2360263", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2360263"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nPCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion\nWhen BIOS neglects to assign bus numbers to PCI bridges, the kernel\nattempts to correct that during PCI device enumeration. If it runs out\nof bus numbers, no pci_bus is allocated and the \"subordinate\" pointer in\nthe bridge's pci_dev remains NULL.\nThe PCIe bandwidth controller erroneously does not check for a NULL\nsubordinate pointer and dereferences it on probe.\nBandwidth control of unusable devices below the bridge is of questionable\nutility, so simply error out instead. This mirrors what PCIe hotplug does\nsince commit 62e4492c3063 (\"PCI: Prevent NULL dereference during pciehp\nprobe\").\nThe PCI core emits a message with KERN_INFO severity if it has run out of\nbus numbers. PCIe hotplug emits an additional message with KERN_ERR\nseverity to inform the user that hotplug functionality is disabled at the\nbridge. A similar message for bandwidth control does not seem merited,\ngiven that its only purpose so far is to expose an up-to-date link speed\nin sysfs and throttle the link speed on certain laptops with limited\nThermal Design Power. So error out silently.\nUser-visible messages:\npci 0000:16:02.0: bridge configuration invalid ([bus 00-00]), reconfiguring\n[...]\npci_bus 0000:45: busn_res: [bus 45-74] end is updated to 74\npci 0000:16:02.0: devices behind bridge are unusable because [bus 45-74] cannot be assigned for them\n[...]\npcieport 0000:16:02.0: pciehp: Hotplug bridge without secondary bus, ignoring\n[...]\nBUG: kernel NULL pointer dereference\nRIP: pcie_update_link_speed\npcie_bwnotif_enable\npcie_bwnotif_probe\npcie_port_probe_service\nreally_probe"], "name": "CVE-2025-22031", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22031\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22031\nhttps://lore.kernel.org/linux-cve-announce/2025041656-CVE-2025-22031-b941@gregkh/T"], "threat_severity": "Low"}