tee: fix NULL pointer dereference in tee_shm_put

Summary

CVE	CVE-2025-39865
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2025-09-19 16:15:45 UTC
Updated	2026-05-12 13:17:17 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereference in tee_shm_put tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000 [0000000000100cca] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ---- 6.6.0-39-generic #38 Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07 Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0 10/26/2022 pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : tee_shm_put+0x24/0x188 lr : tee_shm_free+0x14/0x28 sp : ffff001f98f9faf0 x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000 x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048 x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88 x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003 x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101 x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca Call trace: tee_shm_put+0x24/0x188 tee_shm_free+0x14/0x28 __optee_disable_shm_cache+0xa8/0x108 optee_shutdown+0x28/0x38 platform_shutdown+0x28/0x40 device_shutdown+0x144/0x2b0 kernel_power_off+0x3c/0x80 hibernate+0x35c/0x388 state_store+0x64/0x80 kobj_attr_store+0x14/0x28 sysfs_kf_write+0x48/0x60 kernfs_fop_write_iter+0x128/0x1c0 vfs_write+0x270/0x370 ksys_write+0x6c/0x100 __arm64_sys_write+0x20/0x30 invoke_syscall+0x4c/0x120 el0_svc_common.constprop.0+0x44/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x24/0x88 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x14c/0x15

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-476

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected c05d8f66ec3470e5212c4d08c46d6cb5738d600d f266188603c34e6e234fb0dfc3185f0ba98d71b7 git	Not specified
CNA	Linux	Linux	affected 492eb7afe858d60408b2da09adc78540c4d16543 4377eac565c297fdfccd2f8e9bf94ee84ff6172f git	Not specified
CNA	Linux	Linux	affected dfd0743f1d9ea76931510ed150334d571fbab49d 25e315bc8ad363bd1194e49062f183ad4011957e git	Not specified
CNA	Linux	Linux	affected dfd0743f1d9ea76931510ed150334d571fbab49d add1ecc8f3ad8df22e3599c5c88d7907cc2a3079 git	Not specified
CNA	Linux	Linux	affected dfd0743f1d9ea76931510ed150334d571fbab49d 963fca19fe34c496e04f7dd133b807b76a5434ca git	Not specified
CNA	Linux	Linux	affected dfd0743f1d9ea76931510ed150334d571fbab49d 5e07a4235bb85d9ef664411e4ff4ac34783c18ff git	Not specified
CNA	Linux	Linux	affected dfd0743f1d9ea76931510ed150334d571fbab49d e4a718a3a47e89805c3be9d46a84de1949a98d5d git	Not specified
CNA	Linux	Linux	affected 3d556a28bbfe34a80b014db49908b0f1bcb1ae80 git	Not specified
CNA	Linux	Linux	affected b4a661b4212b8fac8853ec3b68e4a909dccc88a1 git	Not specified
CNA	Linux	Linux	affected 940e68e57ab69248fabba5889e615305789db8a7 git	Not specified
CNA	Linux	Linux	affected 5.16	Not specified
CNA	Linux	Linux	unaffected 5.16 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.243 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.192 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.151 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.105 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.46 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.16.6 6.16.* semver	Not specified
CNA	Linux	Linux	unaffected 6.17 * original_commit_for_fix	Not specified
ADP	Siemens	RUGGEDCOM RST2428P	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 Family	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XCH328	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XCM324	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XCM328	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XCM332	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRH334 24 V DC 8xFO CC	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 230 V AC 12xFO	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 230 V AC 8xFO	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 230V AC 2x10G 24xSFP 8xSFP	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 24 V DC 12xFO	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 24 V DC 8xFO	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 24V DC 2x10G 24xSFP 8xSFP	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 2x230 V AC 12xFO	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 2x230 V AC 8xFO	affected V3.3 custom	Not specified
ADP	Siemens	SCALANCE XRM334 2x230V AC 2x10G 24xSFP 8xSFP	affected V3.3 custom	Not specified
ADP	Siemens	SIMATIC CN 4100	affected V5.0 custom	Not specified

References

Reference	Source	Link	Tags
lists.debian.org/debian-lts-announce/2025/10/msg00008.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org	Mailing List, Third Party Advisory
cert-portal.siemens.com/productcert/html/ssa-089022.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
git.kernel.org/stable/c/4377eac565c297fdfccd2f8e9bf94ee84ff6172f	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/e4a718a3a47e89805c3be9d46a84de1949a98d5d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
cert-portal.siemens.com/productcert/html/ssa-032379.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
git.kernel.org/stable/c/add1ecc8f3ad8df22e3599c5c88d7907cc2a3079	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/25e315bc8ad363bd1194e49062f183ad4011957e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/f266188603c34e6e234fb0dfc3185f0ba98d71b7	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/963fca19fe34c496e04f7dd133b807b76a5434ca	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
lists.debian.org/debian-lts-announce/2025/10/msg00007.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org	Mailing List, Third Party Advisory
git.kernel.org/stable/c/5e07a4235bb85d9ef664411e4ff4ac34783c18ff	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.