CVE-2025-22044: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-22044 is a vulnerability in the Linux kernel's ACPI NFIT (NVDIMM Firmware Interface Table) subsystem, discovered and disclosed on April 16, 2025. The issue specifically affects the acpi_nfit_ctl function's handling of type conversion (NVD).

The vulnerability stems from a narrowing conversion issue in the acpi_nfit_ctl function. The function verifies a user-provided value call_pkg->nd_family of type u64 for non-zero, but performs the integer comparison after converting it to int. This can lead to passing an invalid argument if call_pkg->nd_family is non-zero while its lower 32 bits are zero. The issue was initially detected by Syzkaller, which reported a warning in to_nfit_bus_uuid() stating 'only secondary bus families can be translated'. Red Hat has assigned this vulnerability a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (Red Hat).

The vulnerability can lead to undefined behavior when processing invalid user input in the ACPI NFIT subsystem. While the system currently emits a warning, this is insufficient to prevent potential undefined behavior based on invalid user input (Red Hat).

The issue has been fixed in Linux kernel version 6.12.25-1. Red Hat Enterprise Linux 9 has deferred the fix for both kernel and kernel-rt packages. Several Linux distributions have released or are in the process of releasing patches, including Debian which has fixed the issue in version 6.12.25-1 (Debian Tracker).