LiveActive security incident?Get immediate response
CVE Record

CVE-2025-23131: dlm: prevent NPD when writing a positive value to event_done

In the Linux kernel, the following vulnerability has been resolved: dlm: prevent NPD when writing a positive value to event_done do_uevent returns the value written to event_done. In case it is a positive value, new_lockspace would undo all the work, and lockspace would not be set. __dlm_new_lockspace, however, would treat that positive value as a success due to commit 8511a2728ab8 ("dlm: fix use count with multiple joins"). Down the line, device_create_lockspace would pass that NULL lockspace to dlm_find_lockspace_local, leading to a NULL pointer dereference. Treating such positive values as successes prevents the problem. Given this has been broken for so long, this is unlikely to break userspace expectations.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2025-23131 is a Linux kernel DLM flaw that can lead to a NULL pointer dereference during lockspace creation. In business terms, the credible impact from the provided sources is kernel instability or denial of service on systems using DLM, not confirmed data theft or remote code execution.

Executive priority

Handle through normal kernel patch governance, with higher priority for clustered infrastructure where DLM is enabled. No source confirms active exploitation or critical impact, but kernel crash risk can affect availability.

Technical view

The bug is in Linux kernel DLM handling of positive returns from do_uevent when writing event_done. __dlm_new_lockspace treated a positive value as success while lockspace remained unset, allowing device_create_lockspace to pass NULL into dlm_find_lockspace_local and trigger a NULL pointer dereference.

Likely exposure

Exposure is most relevant to Linux systems using DLM or clustered locking functionality. The provided version data is incomplete and ambiguous, so vulnerability managers should verify against vendor kernel packages and the referenced stable kernel fixes.

Exploitation context

The bundle does not show KEV listing, active exploitation, public exploit evidence, CVSS, or CWE data. Treat this as a stability and availability risk until vendor advisories provide more context.

Researcher notes

The source describes a long-standing logic mismatch around positive return handling from do_uevent. Evidence supports NULL pointer dereference, but not exploitability beyond crash behavior. Version metadata should be validated against upstream stable commits and downstream backports.

Mitigation direction

  • Apply Linux vendor kernel updates that include the referenced stable fixes.
  • Prioritize clustered or DLM-enabled Linux systems for assessment.
  • Check distribution advisories for exact affected and fixed package versions.
  • Avoid assuming non-Linux systems or unrelated clustering products are affected.

Validation and detection

  • Inventory Linux kernels on systems using DLM or clustered locking.
  • Verify whether installed kernels include the referenced stable commits or vendor backports.
  • Review kernel crash logs for DLM NULL pointer dereference indicators.
  • Track vendor advisories for corrected affected-version ranges and severity.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-23131 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
8Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux8511a2728ab82cab398e39d019f5cf1246021c1c, 8511a2728ab82cab398e39d019f5cf1246021c1c, 8511a2728ab82cab398e39d019f5cf1246021c1c, 8511a2728ab82cab398e39d019f5cf1246021c1c, 8511a2728ab82cab398e39d019f5cf1246021c1c, 8511a2728ab82cab398e39d019f5cf1246021c1c, 8511a2728ab82cab398e39d019f5cf1246021c1cunaffected
LinuxLinux2.6.31, 0, 5.10.260, 5.15.211, 6.1.177, 6.6.144, 6.12.95, 6.14.2, 6.15affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.