NULL Pointer Dereference Affecting kernel-uek-debug-modules-desktop package, versions <0:6.12.0-102.36.5.2.el10uek
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-ORACLE10-KERNELUEKDEBUGMODULESDESKTOP-10840426
- published20 Jul 2025
- disclosed20 May 2025
Introduced: 20 May 2025
CVE-2025-37953 (opens in a new tab)How to fix?
Upgrade Oracle:10 kernel-uek-debug-modules-desktop to version 0:6.12.0-102.36.5.2.el10uek or higher.
This issue was patched in ELSA-2025-20530.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-uek-debug-modules-desktop package and not the kernel-uek-debug-modules-desktop package as distributed by Oracle.
See How to fix? for Oracle:10 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
sch_htb: make htb_deactivate() idempotent
Alan reported a NULL pointer dereference in htb_next_rb_node() after we made htb_qlen_notify() idempotent.
It turns out in the following case it introduced some regression:
htb_dequeue_tree(): |-> fq_codel_dequeue() |-> qdisc_tree_reduce_backlog() |-> htb_qlen_notify() |-> htb_deactivate() |-> htb_next_rb_node() |-> htb_deactivate()
For htb_next_rb_node(), after calling the 1st htb_deactivate(), the clprio[prio]->ptr could be already set to NULL, which means htb_next_rb_node() is vulnerable here.
For htb_deactivate(), although we checked qlen before calling it, in case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again which triggers the warning inside.
To fix the issues here, we need to:
- Make htb_deactivate() idempotent, that is, simply return if we already call it before.
- Make htb_next_rb_node() safe against ptr==NULL.
Many thanks to Alan for testing and for the reproducer.
References
- https://linux.oracle.com/cve/CVE-2025-37953.html
- https://linux.oracle.com/errata/ELSA-2025-20480.html
- https://linux.oracle.com/errata/ELSA-2025-20530.html
- https://linux.oracle.com/errata/ELSA-2025-25757.html
- https://git.kernel.org/stable/c/31ff70ad39485698cf779f2078132d80b57f6c07
- https://git.kernel.org/stable/c/3769478610135e82b262640252d90f6efb05be71
- https://git.kernel.org/stable/c/98cd7ed92753090a714f0802d4434314526fe61d
- https://git.kernel.org/stable/c/99ff8a20fd61315bf9ae627440a5ff07d22ee153
- https://git.kernel.org/stable/c/a9945f7cf1709adc5d2d31cb6cfc85627ce299a8
- https://git.kernel.org/stable/c/c2d25fddd867ce20a266806634eeeb5c30cb520c
- https://git.kernel.org/stable/c/c4792b9e38d2f61b07eac72f10909fa76130314b
- https://git.kernel.org/stable/c/c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0
- https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html