{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39903","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.146Z","datePublished":"2025-10-01T07:42:50.215Z","dateUpdated":"2026-05-11T21:38:38.180Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:38:38.180Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nof_numa: fix uninitialized memory nodes causing kernel panic\n\nWhen there are memory-only nodes (nodes without CPUs), these nodes are not\nproperly initialized, causing kernel panic during boot.\n\nof_numa_init\n\tof_numa_parse_cpu_nodes\n\t\tnode_set(nid, numa_nodes_parsed);\n\tof_numa_parse_memory_nodes\n\nIn of_numa_parse_cpu_nodes, numa_nodes_parsed gets updated only for nodes\ncontaining CPUs.  Memory-only nodes should have been updated in\nof_numa_parse_memory_nodes, but they weren't.\n\nSubsequently, when free_area_init() attempts to access NODE_DATA() for\nthese uninitialized memory nodes, the kernel panics due to NULL pointer\ndereference.\n\nThis can be reproduced on ARM64 QEMU with 1 CPU and 2 memory nodes:\n\nqemu-system-aarch64 \\\n-cpu host -nographic \\\n-m 4G -smp 1 \\\n-machine virt,accel=kvm,gic-version=3,iommu=smmuv3 \\\n-object memory-backend-ram,size=2G,id=mem0 \\\n-object memory-backend-ram,size=2G,id=mem1 \\\n-numa node,nodeid=0,memdev=mem0 \\\n-numa node,nodeid=1,memdev=mem1 \\\n-kernel $IMAGE \\\n-hda $DISK \\\n-append \"console=ttyAMA0 root=/dev/vda rw earlycon\"\n\n[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x481fd010]\n[    0.000000] Linux version 6.17.0-rc1-00001-gabb4b3daf18c-dirty (yintirui@local) (gcc (GCC) 12.3.1, GNU ld (GNU Binutils) 2.41) #52 SMP PREEMPT Mon Aug 18 09:49:40 CST 2025\n[    0.000000] KASLR enabled\n[    0.000000] random: crng init done\n[    0.000000] Machine model: linux,dummy-virt\n[    0.000000] efi: UEFI not found.\n[    0.000000] earlycon: pl11 at MMIO 0x0000000009000000 (options '')\n[    0.000000] printk: legacy bootconsole [pl11] enabled\n[    0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT\n[    0.000000] NODE_DATA(0) allocated [mem 0xbfffd9c0-0xbfffffff]\n[    0.000000] node 1 must be removed before remove section 23\n[    0.000000] Zone ranges:\n[    0.000000]   DMA      [mem 0x0000000040000000-0x00000000ffffffff]\n[    0.000000]   DMA32    empty\n[    0.000000]   Normal   [mem 0x0000000100000000-0x000000013fffffff]\n[    0.000000] Movable zone start for each node\n[    0.000000] Early memory node ranges\n[    0.000000]   node   0: [mem 0x0000000040000000-0x00000000bfffffff]\n[    0.000000]   node   1: [mem 0x00000000c0000000-0x000000013fffffff]\n[    0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff]\n[    0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[    0.000000] Mem abort info:\n[    0.000000]   ESR = 0x0000000096000004\n[    0.000000]   EC = 0x25: DABT (current EL), IL = 32 bits\n[    0.000000]   SET = 0, FnV = 0\n[    0.000000]   EA = 0, S1PTW = 0\n[    0.000000]   FSC = 0x04: level 0 translation fault\n[    0.000000] Data abort info:\n[    0.000000]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[    0.000000]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[    0.000000]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[    0.000000] [00000000000000a0] user address but active_mm is swapper\n[    0.000000] Internal error: Oops: 0000000096000004 [#1]  SMP\n[    0.000000] Modules linked in:\n[    0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.17.0-rc1-00001-g760c6dabf762-dirty #54 PREEMPT\n[    0.000000] Hardware name: linux,dummy-virt (DT)\n[    0.000000] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[    0.000000] pc : free_area_init+0x50c/0xf9c\n[    0.000000] lr : free_area_init+0x5c0/0xf9c\n[    0.000000] sp : ffffa02ca0f33c00\n[    0.000000] x29: ffffa02ca0f33cb0 x28: 0000000000000000 x27: 0000000000000000\n[    0.000000] x26: 4ec4ec4ec4ec4ec5 x25: 00000000000c0000 x24: 00000000000c0000\n[    0.000000] x23: 0000000000040000 x22: 0000000000000000 x21: ffffa02ca0f3b368\n[    0.000000] x20: ffffa02ca14c7b98 x19: 0000000000000000 x18: 0000000000000002\n[    0.000000] x17: 000000000000cacc x16: 0000000000000001 x15: 0000000000000001\n[    0.000000] x14: 0000000080000000 x13: 0000000000000018 x12: 0000000000000002\n[    0.0\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/of/of_numa.c"],"versions":[{"version":"767507654c22578ea0b51d181211b2e7714ea7cd","lessThan":"c2daa6eb4740720b5bd0e06267d7c93a3eed844e","status":"affected","versionType":"git"},{"version":"767507654c22578ea0b51d181211b2e7714ea7cd","lessThan":"f3286ad8eeae15fd4bd5c12f9adfe888b26baf62","status":"affected","versionType":"git"},{"version":"767507654c22578ea0b51d181211b2e7714ea7cd","lessThan":"ee4d098cbc9160f573b5c1b5a51d6158efdb2896","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/of/of_numa.c"],"versions":[{"version":"6.12","status":"affected"},{"version":"0","lessThan":"6.12","status":"unaffected","versionType":"semver"},{"version":"6.12.46","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.6","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.46"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.16.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c2daa6eb4740720b5bd0e06267d7c93a3eed844e"},{"url":"https://git.kernel.org/stable/c/f3286ad8eeae15fd4bd5c12f9adfe888b26baf62"},{"url":"https://git.kernel.org/stable/c/ee4d098cbc9160f573b5c1b5a51d6158efdb2896"}],"title":"of_numa: fix uninitialized memory nodes causing kernel panic","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2025-39903","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2026-01-14T19:29:54.656415Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-14T19:33:14.557Z"}}]}}