CVE-2025-38113: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38113 is a vulnerability discovered in the Linux kernel, specifically affecting the ACPI CPPC (Collaborative Processor Performance Control) component. The vulnerability was disclosed on July 3, 2025, and involves a NULL pointer dereference issue that occurs when the 'nosmp' command line option is used (NVD, CVE).

The vulnerability occurs in the Linux kernel's ACPI CPPC implementation. When the 'nosmp' parameter is used in the command line, secondary CPUs are not initialized, resulting in their cpcdescptr remaining NULL. The issue manifests when CPU0 attempts to iterate through all possible CPUs using foreachpossiblecpu(), leading to NULL pointer dereferences. This causes a kernel panic with the error message 'Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8' in the cppcallowfastswitch function (NVD).

When exploited, this vulnerability results in a kernel panic, effectively causing a system crash with the message 'Kernel panic - not syncing: Attempted to kill init!' This can lead to system unavailability and potential service disruption (CVE).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has marked it as 'Not affected' for versions 22.04 LTS, 20.04 LTS, 18.04 LTS, and 16.04 LTS, while newer versions (24.04 LTS, 24.10, and 25.04) are marked as vulnerable and await updates (Ubuntu). Debian has released fixes in version 6.12.35-1 for some releases (Debian).