LiveActive security incident?Get immediate response
CVE Record

CVE-2025-22069: riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler

In the Linux kernel, the following vulnerability has been resolved: riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler Naresh Kamboju reported a "Bad frame pointer" kernel warning while running LTP trace ftrace_stress_test.sh in riscv. We can reproduce the same issue with the following command: ``` $ cd /sys/kernel/debug/tracing $ echo 'f:myprobe do_nanosleep%return args1=$retval' > dynamic_events $ echo 1 > events/fprobes/enable $ echo 1 > tracing_on $ sleep 1 ``` And we can get the following kernel warning: [ 127.692888] ------------[ cut here ]------------ [ 127.693755] Bad frame pointer: expected ff2000000065be50, received ba34c141e9594000 [ 127.693755] from func do_nanosleep return to ffffffff800ccb16 [ 127.698699] WARNING: CPU: 1 PID: 129 at kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be [ 127.699894] Modules linked in: [ 127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep Not tainted 6.14.0-rc3-g0ab191c74642 #32 [ 127.701453] Hardware name: riscv-virtio,qemu (DT) [ 127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be [ 127.702032] ra : ftrace_return_to_handler+0x1b2/0x1be [ 127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10 [ 127.702221] gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000 [ 127.702284] t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80 [ 127.702346] s1 : ff60000081262000 a0 : 000000000000007b a1 : ffffffff81894f20 [ 127.702408] a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000 [ 127.702470] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038 [ 127.702530] s2 : ba34c141e9594000 s3 : 0000000000000000 s4 : ff2000000065bdd0 [ 127.702591] s5 : 00007fff8adcf400 s6 : 000055556dc1d8c0 s7 : 0000000000000068 [ 127.702651] s8 : 00007fff8adf5d10 s9 : 000000000000006d s10: 0000000000000001 [ 127.702710] s11: 00005555737377c8 t3 : ffffffff819d899e t4 : ffffffff819d899e [ 127.702769] t5 : ffffffff819d89a0 t6 : ff2000000065bb18 [ 127.702826] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003 [ 127.703292] [<ffffffff8013b5e0>] ftrace_return_to_handler+0x1b2/0x1be [ 127.703760] [<ffffffff80017bce>] return_to_handler+0x16/0x26 [ 127.704009] [<ffffffff80017bb8>] return_to_handler+0x0/0x26 [ 127.704057] [<ffffffff800d3352>] common_nsleep+0x42/0x54 [ 127.704117] [<ffffffff800d44a2>] __riscv_sys_clock_nanosleep+0xba/0x10a [ 127.704176] [<ffffffff80901c56>] do_trap_ecall_u+0x188/0x218 [ 127.704295] [<ffffffff8090cc3e>] handle_exception+0x14a/0x156 [ 127.705436] ---[ end trace 0000000000000000 ]--- The reason is that the stack layout for constructing argument for the ftrace_return_to_handler in the return_to_handler does not match the __arch_ftrace_regs structure of riscv, leading to unexpected results.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel issue specific to RISC-V tracing support. When function graph tracing return handling is exercised, the kernel builds the stack argument layout incorrectly and can trigger a bad frame pointer warning. The public record does not establish active exploitation, privilege impact, or business impact beyond kernel misbehavior under tracing conditions.

Executive priority

Treat this as a targeted kernel maintenance item, not an emergency, unless the organization operates RISC-V Linux systems with tracing enabled. Patch through normal kernel update channels and ask platform owners to confirm exposure because public severity and exploitability evidence are incomplete.

Technical view

CVE-2025-22069 affects Linux RISC-V fgraph/ftrace return handling. The return_to_handler stack layout did not match the RISC-V __arch_ftrace_regs structure expected by ftrace_return_to_handler, producing unexpected results and a bad frame pointer warning during ftrace/fprobe stress activity. The issue is marked resolved in Linux stable commit references.

Likely exposure

Exposure appears limited to Linux kernel builds on RISC-V in the affected version ranges, especially systems where fgraph, ftrace, or fprobes are enabled or tested. The source bundle does not identify other architectures, distributions, cloud images, or appliances as affected.

Exploitation context

The bundle describes reproducible kernel warnings from tracing activity, not a weaponized exploit. KEV is false, and no cited source reports active exploitation. There is no CVSS score, CWE mapping, or confirmed attacker model in the provided evidence.

Researcher notes

The evidence is centered on a stack layout mismatch in RISC-V fgraph return handling. The reproduction context uses fprobes and tracing, but the record does not prove broader security impact. Research should focus on affected kernel lineage, backport status, and whether the warning can cause denial of service or integrity impact.

Mitigation direction

  • Update to a Linux kernel containing the referenced stable fixes or vendor backports.
  • Prioritize RISC-V systems that enable ftrace, fgraph, or fprobes.
  • If no vendor patch is available, monitor vendor guidance before changing production controls.
  • Avoid unnecessary tracing exposure on affected RISC-V systems until patched.
  • Track distribution advisories for backported fixes and affected package versions.

Validation and detection

  • Inventory RISC-V Linux systems and record kernel versions or vendor package releases.
  • Compare deployed kernels with the CVE affected and fixed version data.
  • Check kernel logs for bad frame pointer warnings involving ftrace_return_to_handler.
  • Confirm whether tracing features are enabled or used in operational workflows.
  • Verify the relevant stable fix is present in vendor changelogs or kernel source history.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-22069 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
4Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux33d4e904e24d14ff0fbc528b657ddc7c7b636e6a, a3ed4157b7d89800a0008de0c9e46a438a5c3745, a3ed4157b7d89800a0008de0c9e46a438a5c3745, 6.12.75unaffected
LinuxLinux6.14, 0, 6.12.92, 6.14.2, 6.15affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.