CVE-2025-22031

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-22031
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22031.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-22031
Downstream
Published
2025-04-16T14:11:51Z
Modified
2025-10-15T04:03:50.649238Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
PCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion
Details

In the Linux kernel, the following vulnerability has been resolved:

PCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion

When BIOS neglects to assign bus numbers to PCI bridges, the kernel attempts to correct that during PCI device enumeration. If it runs out of bus numbers, no pcibus is allocated and the "subordinate" pointer in the bridge's pcidev remains NULL.

The PCIe bandwidth controller erroneously does not check for a NULL subordinate pointer and dereferences it on probe.

Bandwidth control of unusable devices below the bridge is of questionable utility, so simply error out instead. This mirrors what PCIe hotplug does since commit 62e4492c3063 ("PCI: Prevent NULL dereference during pciehp probe").

The PCI core emits a message with KERNINFO severity if it has run out of bus numbers. PCIe hotplug emits an additional message with KERNERR severity to inform the user that hotplug functionality is disabled at the bridge. A similar message for bandwidth control does not seem merited, given that its only purpose so far is to expose an up-to-date link speed in sysfs and throttle the link speed on certain laptops with limited Thermal Design Power. So error out silently.

User-visible messages:

pci 0000:16:02.0: bridge configuration invalid ([bus 00-00]), reconfiguring [...] pcibus 0000:45: busnres: [bus 45-74] end is updated to 74 pci 0000:16:02.0: devices behind bridge are unusable because [bus 45-74] cannot be assigned for them [...] pcieport 0000:16:02.0: pciehp: Hotplug bridge without secondary bus, ignoring [...] BUG: kernel NULL pointer dereference RIP: pcieupdatelinkspeed pciebwnotifenable pciebwnotifprobe pcieportprobeservice really_probe

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
665745f274870c921020f610e2c99a3b1613519b
Fixed
d93d309013e89631630a12b1770d27e4be78362a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
665745f274870c921020f610e2c99a3b1613519b
Fixed
1181924af78e5299ddec6e457789c02dd5966559
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
665745f274870c921020f610e2c99a3b1613519b
Fixed
667f053b05f00a007738cd7ed6fa1901de19dc7e

Affected versions

v6.*

v6.12
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.10
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.13.7
v6.13.8
v6.13.9
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1

Database specific 

{
    "vanir_signatures": [
        {
            "signature_type": "Line",
            "target": {
                "file": "drivers/pci/pcie/bwctrl.c"
            },
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "155515187737917959938578481998955846750",
                    "596048576266226078141268896590466656",
                    "74220490264536327284122397676215699616"
                ]
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d93d309013e89631630a12b1770d27e4be78362a",
            "id": "CVE-2025-22031-53bebfa9"
        },
        {
            "signature_type": "Line",
            "target": {
                "file": "drivers/pci/pcie/bwctrl.c"
            },
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "155515187737917959938578481998955846750",
                    "596048576266226078141268896590466656",
                    "74220490264536327284122397676215699616"
                ]
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1181924af78e5299ddec6e457789c02dd5966559",
            "id": "CVE-2025-22031-5b4183d3"
        },
        {
            "signature_type": "Function",
            "target": {
                "file": "drivers/pci/pcie/bwctrl.c",
                "function": "pcie_bwnotif_probe"
            },
            "signature_version": "v1",
            "digest": {
                "length": 805.0,
                "function_hash": "112651007852479473266682586109198027144"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d93d309013e89631630a12b1770d27e4be78362a",
            "id": "CVE-2025-22031-7e3bc590"
        },
        {
            "signature_type": "Function",
            "target": {
                "file": "drivers/pci/pcie/bwctrl.c",
                "function": "pcie_bwnotif_probe"
            },
            "signature_version": "v1",
            "digest": {
                "length": 805.0,
                "function_hash": "112651007852479473266682586109198027144"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1181924af78e5299ddec6e457789c02dd5966559",
            "id": "CVE-2025-22031-8f437ae7"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.11
Type
ECOSYSTEM
Events
Introduced
6.14.0
Fixed
6.14.2