CVE-2022-49925: 
Linux Kernel vulnerability analysis and mitigation

A null pointer dereference vulnerability (CVE-2022-49925) was discovered in the Linux kernel's RDMA/core subsystem, specifically in the ibcorecleanup() function. The vulnerability was publicly disclosed in May 2025 and affects Linux kernel versions from 5.5 up to versions before 5.10.154, from 5.11 up to versions before 5.15.78, and from 5.16 onwards (NVD).

The vulnerability occurs when the rocegidmgmtinit() function fails to allocate the workqueue (gidcachewq), but this failure is ignored in the initialization process. Subsequently, when ibcore_cleanup() attempts to destroy the unallocated workqueue, it results in a null pointer dereference. This was confirmed through KASAN (Kernel Address Sanitizer) which reported the null-ptr-deref error in the range [0x0000000000000118-0x000000000000011f]. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Debian Tracker).

The vulnerability affects the Linux kernel's RDMA (Remote Direct Memory Access) core functionality. When triggered, it can cause a kernel crash, potentially leading to denial of service conditions on affected systems (Wiz).

The vulnerability has been fixed by implementing proper error handling to catch the failure of rocegidmgmtinit() in ibcore_init(). Multiple Linux distributions have released patched versions, including Debian which has fixed versions available in bullseye (5.10.234-1), bookworm (6.1.135-1), trixie (6.12.25-1), and sid (6.12.27-1) (Debian Tracker).