Volerion logoVolerion
Volerion logoVolerion

Linux Kernel Null Pointer Dereference Vulnerability in Crypto Library's mpi_cmp_ui Function

Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's crypto library, specifically within the mpi_cmp_ui function. This issue arises during NVMe over TCP authentication when a controller specifies an 8192-bit Diffie-Hellman group and sends a properly sized, but zeroed, Diffie-Hellman value. The function dh_is_pubkey_valid() passes a '1' to mpi_cmp_ui(), which should ideally be '0' for a zeroed value. This discrepancy leads to the dereferencing of a null pointer, causing a kernel oops.

Impact

Exploitation of this vulnerability leads to a kernel oops, causing a crash or instability in the system.

Reproduction

To reproduce this vulnerability, initiate an NVMe over TCP authentication process. During this process, specify an 8192-bit Diffie-Hellman group and send a Diffie-Hellman value that is correctly sized but zeroed. The mpi_cmp_ui function will incorrectly process this value, leading to a null pointer dereference.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched.

Added: Dec 9, 2025, 1:25 AM
Updated: Dec 9, 2025, 1:25 AM

Vulnerability Rating

Custom Algorithm
spread
9.0
impact
2.5
exploitability
5.7
remediation
7.7
relevance
1.3
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.