CVE-2025-68375
Description
In the Linux kernel, the following vulnerability has been resolved:
perf/x86: Fix NULL event access and potential PEBS record loss
When intel_pmu_drain_pebs_icl() is called to drain PEBS records, the perf_event_overflow() could be called to process the last PEBS record.
While perf_event_overflow() could trigger the interrupt throttle and stop all events of the group, like what the below call-chain shows.
perf_event_overflow() -> __perf_event_overflow() ->__perf_event_account_interrupt() -> perf_event_throttle_group() -> perf_event_throttle() -> event->pmu->stop() -> x86_pmu_stop()
The side effect of stopping the events is that all corresponding event pointers in cpuc->events[] array are cleared to NULL.
Assume there are two PEBS events (event a and event b) in a group. When intel_pmu_drain_pebs_icl() calls perf_event_overflow() to process the last PEBS record of PEBS event a, interrupt throttle is triggered and all pointers of event a and event b are cleared to NULL. Then intel_pmu_drain_pebs_icl() tries to process the last PEBS record of event b and encounters NULL pointer access.
To avoid this issue, move cpuc->events[] clearing from x86_pmu_stop() to x86_pmu_del(). It's safe since cpuc->active_mask or cpuc->pebs_enabled is always checked before access the event pointer from cpuc->events[].
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, x86 PEBS record draining can trigger a NULL pointer dereference when interrupt throttling clears event pointers during processing of a group of events.
When intel_pmu_drain_pebs_icl() drains PEBS records, it may call perf_event_overflow() to process the last PEBS record. This function can trigger interrupt throttling via perf_event_throttle_group(), which stops all events in the group by calling x86_pmu_stop(). The side effect of stopping events is that all corresponding event pointers in cpuc->events[] array are cleared to NULL.
If two PEBS events (event a and event b) are in a group, and perf_event_overflow() processes the last PEBS record of event a, throttling clears pointers for both events. When the drain function then tries to process the last PEBS record of event b, it accesses a NULL pointer, leading to a crash.
The vulnerability can be triggered on systems with Intel processors that support PEBS (Precise Event Based Sampling) and when multiple PEBS events are grouped together. The attack surface is local, requiring the ability to set up such event groups, typically via the perf subsystem, which may be available to unprivileged users depending on configuration.
The impact is a denial of service (system crash) due to a NULL pointer dereference. An attacker with local access and the ability to create perf events could exploit this to cause a kernel panic.
The fix moves the clearing of cpuc->events[] from x86_pmu_stop() to x86_pmu_del(), which is safe because cpuc->active_mask or cpuc->pebs_enabled is always checked before accessing the event pointer from cpuc->events[]. The patch has been applied to the stable kernel tree as commit cf69b99805c2 [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.