CVE-2025-68176
Description
In the Linux kernel, the following vulnerability has been resolved:
PCI: cadence: Check for the existence of cdns_pcie::ops before using it
cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops.
Hence, add a check to prevent NULL pointer dereference.
[mani: reworded subject and description]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in the Cadence PCIe controller driver is fixed by checking for the existence of the ops structure before use.
Vulnerability
Analysis
CVE-2025-68176 is a NULL pointer dereference vulnerability in the Linux kernel's Cadence PCIe controller driver (pcie-cadence). The root cause is that the cdns_pcie::ops pointer may not be populated by all glue drivers that interface with the Cadence core. The upcoming Sophgo platform, which does not set the ops. The driver previously accessed this pointer without a NULL check, leading to a potential crash when the pointer is NULL [1][2][3].
Exploitation
An attacker could trigger this vulnerability by causing the system to use a Cadence PCIe controller with a glue driver that does not initialize the ops structure. This requires local access to the system and the ability to trigger PCIe controller operations, such as through device enumeration or power management events. No special privileges beyond normal user access are needed to trigger the vulnerable code path.
Impact
Successful exploitation results in a kernel NULL pointer dereference, which causes a system crash (kernel panic) or denial of service. This can lead to system instability and unavailability. There is no evidence of privilege escalation or data corruption from this vulnerability.
Mitigation
The fix has been applied to the Linux kernel stable tree in commits [1], [2], and [3]. Users should update their kernel to a version containing these commits. No workarounds are available other than applying the patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/0d0bb756f002810d249caee51f3f1c309f3cdab5nvd
- git.kernel.org/stable/c/1810b2fd7375de88a74976dcd402b29088e479ednvd
- git.kernel.org/stable/c/363448d069e29685ca37a118065121e486387af3nvd
- git.kernel.org/stable/c/49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09nvd
- git.kernel.org/stable/c/953eb3796ef06b8ea3bf6bdde14156255bc75866nvd
- git.kernel.org/stable/c/d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1nvd
- git.kernel.org/stable/c/eb3d29ca0820fa3d7cccad47d2da56c9ab5469ednvd
News mentions
0No linked articles in our index yet.