CVE-2025-71313: Linux Kernel PCI Endpoint NULL Pointer Dereference
A memory allocation failure in the Linux kernel's PCI endpoint driver could cause the system to crash. When the kernel tries to create a work queue for handling PCI endpoint-to-endpoint communication, it doesn't properly check whether that operation succeeded. If memory is scarce and the allocation fails, the driver continues anyway and later attempts to use the non-existent queue, triggering a NULL pointer dereference that halts the affected system. The fix is straightforward: check whether the allocation succeeded before proceeding.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Add missing NULL check for alloc_workqueue() alloc_workqueue() can return NULL on memory allocation failure. Without proper error checking, this may lead to a NULL pointer dereference when queue_work() is later called with the NULL workqueue pointer in epf_ntb_epc_init(). Add a NULL check immediately after alloc_workqueue() and return -ENOMEM on failure to prevent the driver from loading with an invalid workqueue pointer.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-71313 addresses a missing NULL pointer check in the Linux kernel's PCI endpoint driver (specifically in epf_ntb_epc_init()). The alloc_workqueue() function, used to allocate a kernel work queue, may return NULL on memory allocation failure. The original code did not validate this return value before passing the queue pointer to queue_work(), creating a NULL pointer dereference vulnerability (CWE-476). The patch adds immediate error checking after alloc_workqueue() and returns -ENOMEM if allocation fails, preventing the driver from initializing with an invalid workqueue reference.
Business impact
This vulnerability primarily affects system availability. Exploitation requires local access and can be triggered under memory pressure conditions, potentially causing unplanned system crashes or forced reboots. The impact is most significant for servers or embedded systems running PCI endpoint controllers that rely on NTB (Non-Transparent Bridge) functionality, where unexpected downtime disrupts service continuity. Systems not using PCI endpoint functionality are unaffected.
Affected systems
The vulnerability affects the Linux kernel across distributions that include the PCI endpoint driver. Kernel versions prior to the patch introduction are vulnerable; the exact vulnerable version range should be verified against your distribution's kernel timeline. Systems using PCI endpoint-to-endpoint communication, particularly those with NTB (Non-Transparent Bridge) configurations, are at highest risk. Embedded systems, hypervisors, and specialized servers with direct PCIe interconnection are more likely to be affected than standard consumer or office infrastructure.
Exploitability
This vulnerability requires local access (AV:L) and unprivileged user privileges (PR:L) to trigger. An attacker cannot exploit this remotely. Triggering requires inducing memory pressure on the system to cause alloc_workqueue() to fail, or loading the affected driver module when memory is constrained. No user interaction is necessary once conditions align. While not trivial to trigger intentionally, the vulnerability is deterministic—it will fail consistently under genuine low-memory conditions, making it a reliability issue as much as a security concern.
Remediation
Apply the patch that adds a NULL check following alloc_workqueue() in epf_ntb_epc_init(). The fix returns -ENOMEM and prevents driver initialization if memory allocation fails. Verify the patch version number against your distribution's kernel advisory. For most distributions, this will arrive via standard kernel security updates. Prioritize patching systems that actively use PCI endpoint functionality; systems without this hardware configuration can be assessed at lower urgency.
Patch guidance
Check your Linux distribution's kernel security advisories for the patched kernel version addressing CVE-2025-71313. Apply the latest recommended kernel update for your distribution. Most major distributions (RHEL, Ubuntu, Debian, SLES) will provide a patched kernel version through their normal security channels. Verify that the patch is included by confirming the alloc_workqueue() error-checking code in the epf_ntb driver. If compiling custom kernels, ensure your upstream kernel version includes this commit.
Detection guidance
Monitor kernel logs for memory allocation failures in the PCI endpoint driver (dmesg output will show alloc_workqueue() failures). Watch for unexpected system crashes or reboots coinciding with low-memory conditions on systems using PCI endpoint functionality. System administrators can also check the running kernel version against known vulnerable ranges for their distribution. Kernel crash dumps will show a NULL pointer dereference in queue_work() if exploitation occurs.
Why prioritize this
This is a medium-severity local denial-of-service vulnerability with straightforward remediation. Prioritize patching systems that use PCI endpoint or NTB functionality, as they face realistic exploitation risk under resource constraints. Standard workstations and servers without PCI endpoint hardware can be patched on the next scheduled maintenance window. The lack of remote exploitability and requirement for local access reduces enterprise-wide urgency, but systems using the affected hardware should be updated promptly.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM) reflects local-only attack surface (AV:L), low privileges required (PR:L), high availability impact (A:H), and no confidentiality or integrity consequences. The score appropriately captures that this is a denial-of-service vulnerability with limited attack scope—only systems with local access and using the specific driver are at risk. The straightforward nature of the fix and low barrier to patching reduce practical risk further.
Frequently asked questions
Do I need to patch this vulnerability if my system doesn't use PCI endpoint controllers?
Likely not immediately. This vulnerability is specific to the PCI endpoint driver. If your system does not use PCI endpoint-to-endpoint communication (NTB), the vulnerable code path is not active. However, for maximum security hygiene and to ensure future compatibility, apply kernel security updates on your normal schedule.
What triggers the alloc_workqueue() failure that causes this crash?
Memory allocation failures occur under genuine low-memory conditions, such as when the system is under sustained memory pressure or available memory is exhausted. An attacker with local access could potentially trigger memory pressure to induce failure, but this is not a practical attack vector for most environments—the vulnerability is more commonly a reliability concern.
Will the fix prevent all PCI endpoint driver crashes?
No. This patch addresses specifically the NULL pointer dereference from unchecked alloc_workqueue() failure. Other bugs in the PCI endpoint driver may exist independently. This fix ensures the driver fails gracefully during initialization rather than crashing during operation.
How quickly should I apply this patch?
Apply this patch as part of your next kernel security update cycle for systems using PCI endpoint functionality. For systems without this hardware, apply it on your standard maintenance schedule. Given the medium severity rating and local-only attack surface, urgent out-of-band patching is not typically required unless you operate high-availability PCI endpoint interconnects.
This analysis is provided for informational purposes. The vulnerability details, CVSS score, affected products, and patch guidance are based on the provided source data and public vulnerability databases. Always verify patch availability and compatibility with your specific distribution and kernel version before applying updates. Test patches in non-production environments first. Consult your distribution's security advisory for authoritative patch guidance and timelines. This is not legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)
- CVE-2026-46134MEDIUMLinux Kernel cros_ec Mutex Initialization DoS Vulnerability
- CVE-2026-46110HIGHLinux stmmac NULL Dereference DoS Vulnerability
- CVE-2026-46114HIGHLinux Kernel RDMA RXE Remote Memory Leak via Malformed ATOMIC_WRITE
- CVE-2025-60477MEDIUMMP4Box NULL Pointer Dereference Denial of Service
- CVE-2025-60481MEDIUMGPAC MP4Box NULL Pointer DoS Vulnerability (v26.02.0 Patch)
- CVE-2025-60483MEDIUMMP4Box AC4 Parser NULL Pointer DoS Vulnerability