Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Linux Kernel: Asynchronous PCI Group Creation Can Cause System Crash
CVE-2025-71233
Summary
A Linux kernel vulnerability has been fixed that could cause a system crash when a PCI endpoint is removed while a sub-group is being created. This issue has been resolved, but it's a good idea to update your kernel to the latest version to ensure you have the fix. If you're using an affected kernel, consider updating as soon as possible to prevent potential issues.
Original title
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: Avoid creating sub-groups asynchronously
The asynchronous creation of sub-groups by a delayed work could lead to...
Original description
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: Avoid creating sub-groups asynchronously
The asynchronous creation of sub-groups by a delayed work could lead to a
NULL pointer dereference when the driver directory is removed before the
work completes.
The crash can be easily reproduced with the following commands:
# cd /sys/kernel/config/pci_ep/functions/pci_epf_test
# for i in {1..20}; do mkdir test && rmdir test; done
BUG: kernel NULL pointer dereference, address: 0000000000000088
...
Call Trace:
configfs_register_group+0x3d/0x190
pci_epf_cfs_work+0x41/0x110
process_one_work+0x18f/0x350
worker_thread+0x25a/0x3a0
Fix this issue by using configfs_add_default_group() API which does not
have the deadlock problem as configfs_register_group() and does not require
the delayed work handler.
[mani: slightly reworded the description and added stable list]
PCI: endpoint: Avoid creating sub-groups asynchronously
The asynchronous creation of sub-groups by a delayed work could lead to a
NULL pointer dereference when the driver directory is removed before the
work completes.
The crash can be easily reproduced with the following commands:
# cd /sys/kernel/config/pci_ep/functions/pci_epf_test
# for i in {1..20}; do mkdir test && rmdir test; done
BUG: kernel NULL pointer dereference, address: 0000000000000088
...
Call Trace:
configfs_register_group+0x3d/0x190
pci_epf_cfs_work+0x41/0x110
process_one_work+0x18f/0x350
worker_thread+0x25a/0x3a0
Fix this issue by using configfs_add_default_group() API which does not
have the deadlock problem as configfs_register_group() and does not require
the delayed work handler.
[mani: slightly reworded the description and added stable list]
- https://git.kernel.org/stable/c/24a253c3aa6d9a2cde46158ce9782e023bfbf32d
- https://git.kernel.org/stable/c/5f609b3bffd4207cf9f2c9b41e1978457a5a1ea9
- https://git.kernel.org/stable/c/73cee890adafa2c219bb865356e08e7f82423fe5
- https://git.kernel.org/stable/c/7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c
- https://git.kernel.org/stable/c/8cb905eca73944089a0db01443c7628a9e87012d
- https://git.kernel.org/stable/c/d9af3cf58bb4c8d6dea4166011c780756b1138b5
- https://git.kernel.org/stable/c/fa9fb38f5fe9c80094c2138354d45cdc8d094d69
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026