CVE-2025-23131: dlm: prevent NPD when writing a positive value to event_done
In the Linux kernel, the following vulnerability has been resolved:
dlm: prevent NPD when writing a positive value to event_done
do_uevent returns the value written to event_done. In case it is a
positive value, new_lockspace would undo all the work, and lockspace
would not be set. __dlm_new_lockspace, however, would treat that
positive value as a success due to commit 8511a2728ab8 ("dlm: fix use
count with multiple joins").
Down the line, device_create_lockspace would pass that NULL lockspace to
dlm_find_lockspace_local, leading to a NULL pointer dereference.
Treating such positive values as successes prevents the problem. Given
this has been broken for so long, this is unlikely to break userspace
expectations.
Security readout for executives and security teams
Plain-English summary
CVE-2025-23131 is a Linux kernel DLM flaw that can lead to a NULL pointer dereference during lockspace creation. In business terms, the credible impact from the provided sources is kernel instability or denial of service on systems using DLM, not confirmed data theft or remote code execution.
Executive priority
Handle through normal kernel patch governance, with higher priority for clustered infrastructure where DLM is enabled. No source confirms active exploitation or critical impact, but kernel crash risk can affect availability.
Technical view
The bug is in Linux kernel DLM handling of positive returns from do_uevent when writing event_done. __dlm_new_lockspace treated a positive value as success while lockspace remained unset, allowing device_create_lockspace to pass NULL into dlm_find_lockspace_local and trigger a NULL pointer dereference.
Likely exposure
Exposure is most relevant to Linux systems using DLM or clustered locking functionality. The provided version data is incomplete and ambiguous, so vulnerability managers should verify against vendor kernel packages and the referenced stable kernel fixes.
Exploitation context
The bundle does not show KEV listing, active exploitation, public exploit evidence, CVSS, or CWE data. Treat this as a stability and availability risk until vendor advisories provide more context.
Researcher notes
The source describes a long-standing logic mismatch around positive return handling from do_uevent. Evidence supports NULL pointer dereference, but not exploitability beyond crash behavior. Version metadata should be validated against upstream stable commits and downstream backports.
Mitigation direction
Apply Linux vendor kernel updates that include the referenced stable fixes.
Prioritize clustered or DLM-enabled Linux systems for assessment.
Check distribution advisories for exact affected and fixed package versions.
Avoid assuming non-Linux systems or unrelated clustering products are affected.
Validation and detection
Inventory Linux kernels on systems using DLM or clustered locking.
Verify whether installed kernels include the referenced stable commits or vendor backports.
Review kernel crash logs for DLM NULL pointer dereference indicators.
Track vendor advisories for corrected affected-version ranges and severity.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-23131 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
8Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Apr 16, 2025, 14:13 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.