CVE-2025-23147: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-23147 is a vulnerability discovered in the Linux kernel's I3C master driver implementation, first reported and published on May 1, 2025. The vulnerability affects the i3cmasterqueue_ibi() function in the Linux kernel's I3C subsystem (NVD Database, Wiz).

The vulnerability occurs when the I3C master driver receives an In-Band Interrupt (IBI) from a target device that has not been fully probed. When the master calls i3cmasterqueue_ibi() to queue an IBI work task, it can lead to an 'Unable to handle kernel read from unreadable memory' error and subsequently result in a kernel panic. This happens because target device events are asynchronous to the I3C probe sequence, allowing step 3 to occur before step 2, which causes dev->ibi to be NULL. The vulnerability has received a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability can result in a kernel panic, which leads to system instability and potential denial of service. This affects the overall system reliability and availability, particularly in environments where I3C devices are actively used (Wiz).

The vulnerability has been resolved by adding a NULL pointer check in the i3cmasterqueue_ibi() function to prevent accessing an uninitialized dev->ibi. This fix ensures system stability by properly handling cases where IBIs are received from unprobed devices. The fix has been implemented in various Linux distributions, with Debian Bookworm (version 6.1.135-1) and Trixie (version 6.12.25-1) already containing the fix (Debian Tracker).