CVE-2025-22017

devlink: fix xa_alloc_cyclic() error handling

Description

In the Linux kernel, the following vulnerability has been resolved: devlink: fix xa_alloc_cyclic() error handling In case of returning 1 from xa_alloc_cyclic() (wrapping) ERR_PTR(1) will be returned, which will cause IS_ERR() to be false. Which can lead to dereference not allocated pointer (rel). Fix it by checking if err is lower than zero. This wasn't found in real usecase, only noticed. Credit to Pierre.

N/A
CVSS
Severity:
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/f8aaa38cfaf6f20afa4db36b6529032fb69165dc
https://git.kernel.org/stable/c/466132f6d28a7e47a82501fe1c46b8f90487412e
https://git.kernel.org/stable/c/f3b97b7d4bf316c3991e5634c9f4847c2df35478

Frequently Asked Questions

What is the severity of CVE-2025-22017?
CVE-2025-22017 has not yet been assigned a CVSS score.
How to fix CVE-2025-22017?
To fix CVE-2025-22017, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-22017 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-22017 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-22017?
CVE-2025-22017 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.