CVE-2025-71118

// CVE-2025-71118 PoC - Malicious DSDT Table Trigger // This PoC demonstrates the NULL pointer dereference in acpi_ns_get_next_node() // Compile: gcc -o cve202571118_poc cve202571118_poc.c #include <stdio.h> #include <stdlib.h> #include <string.h> // Simulate the vulnerable code path void acpi_ns_get_next_node_vulnerable(void *start_node, void *acpi_gbl_root_node) { void *parent_node = NULL; void *next_node = NULL; // Original vulnerable code pattern // The NULL check is inside the if block, causing NULL dereference if (start_node == NULL) { // This line causes NULL pointer dereference when start_node is NULL parent_node = ((void**)start_node)[0]; // Dereferencing NULL pointer } printf("Parent node: %p\n", parent_node); } // Fixed version void acpi_ns_get_next_node_fixed(void *start_node, void *acpi_gbl_root_node) { void *parent_node = NULL; // Fixed code: Check NULL before any access if (start_node == NULL) { start_node = acpi_gbl_root_node; } // Now safe to access if (start_node != NULL) { parent_node = ((void**)start_node)[0]; } printf("Parent node (fixed): %p\n", parent_node); } int main() { printf("CVE-2025-71118 PoC - ACPICA NULL Pointer Dereference\n"); printf("==================================================\n\n"); printf("Testing vulnerable code path with NULL start_node:\n"); acpi_ns_get_next_node_vulnerable(NULL, NULL); printf("\nTesting fixed code path with NULL start_node:\n"); acpi_ns_get_next_node_fixed(NULL, NULL); return 0; }

{"cve": {"id": "CVE-2025-71118", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:01.483", "lastModified": "2026-03-25T18:55:17.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Avoid walking the Namespace if start_node is NULL\n\nAlthough commit 0c9992315e73 (\"ACPICA: Avoid walking the ACPI Namespace\nif it is not there\") fixed the situation when both start_node and\nacpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed\non Honor Magicbook 14 Pro [1].\n\nThat happens due to the access to the member of parent_node in\nacpi_ns_get_next_node(). The NULL pointer dereference will always\nhappen, no matter whether or not the start_node is equal to\nACPI_ROOT_OBJECT, so move the check of start_node being NULL\nout of the if block.\n\nUnfortunately, all the attempts to contact Honor have failed, they\nrefused to provide any technical support for Linux.\n\nThe bad DSDT table's dump could be found on GitHub [2].\n\nDMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025\n\n[ rjw: Subject adjustment, changelog edits ]"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nACPICA: Evitar recorrer el Namespace si start_node es NULL\n\nAunque el commit 0c9992315e73 ('ACPICA: Evitar recorrer el ACPI Namespace si no está presente') arregló la situación cuando tanto start_node como acpi_gbl_root_node son NULL, la línea principal del kernel de Linux ahora todavía fallaba en Honor Magicbook 14 Pro [1].\n\nEso ocurre debido al acceso al miembro de parent_node en acpi_ns_get_next_node(). La desreferencia del puntero NULL siempre ocurrirá, sin importar si start_node es igual a ACPI_ROOT_OBJECT o no, así que mueva la comprobación de que start_node es NULL fuera del bloque if.\n\nDesafortunadamente, todos los intentos de contactar a Honor han fallado, se negaron a proporcionar cualquier soporte técnico para Linux.\n\nEl volcado de la tabla DSDT defectuosa se puede encontrar en GitHub [2].\n\nDMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025\n\n[ rjw: Ajuste del asunto, ediciones del registro de cambios ]"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12.1", "versionEndExcluding": "5.10.248", "matchCriteriaId": "B818FEF1-9F13-4458-9516-D2579296ACAE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.198", "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.160", "matchCriteriaId": "C10CC03E-16A9-428A-B449-40D3763E15F6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.120", "matchCriteriaId": "43C3A206-5EEE-417B-AA0F-EF8972E7A9F0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.64", "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.3", "matchCriteriaId": "2DC484D8-FB4F-4112-900F-AE333B6FE7A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*", "matchCriteriaId": "6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*", "matchCriteriaId": "4F76C298-81DC-43E4-8FC9-DC005A2116EF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*", "matchCriteriaId": "0AB349B2-3F78-4197-882B-90ADB3BF645A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*", "matchCriteriaId": "6AC88830-A9BC-4607-B572-A4B502FC9FD0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*", "matchCriteriaId": "476CB3A5-D022-4F13-AAEF-CB6A5785516A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "ma ... (truncated)