What is CVE-2025-71193?

CVE-2025-71193 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 4.17 onward and patched in 6.6.122, 6.12.67, 6.18.7 and others. CVE-2025-71193 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-71193?

CVE-2025-71193 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-71193?

Yes, CVE-2025-71193 has been patched. Fixed versions include 6.6.122, 6.12.67, 6.18.7 and others. If you are running Linux kernel 4.17 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-71193 actively exploited?

CVE-2025-71193 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-71193

In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data. There is a small window where the suspend callback may run after PM runtime enabling and before runtime forbid. This causes a sporadic crash during boot: ``` Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1 [...] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT Workqueue: pm pm_runtime_work pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2] lr : pm_generic_runtime_suspend+0x2c/0x44 [...] ``` Attach the QPHY instance as driver data before enabling runtime PM to prevent NULL pointer dereference in runtime PM callbacks. Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a short window where an unnecessary runtime suspend can occur. Use the devres-managed version to ensure PM runtime is symmetrically disabled during driver removal for proper cleanup.

Package Linux Kernel

Published 2026-02-04

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 4.17 and later are affected. Fixed in 6.6.122, 6.12.67, 6.18.7, 6.19 and their respective stable series.

Affected from

≥ 4.17

Fixed in

✓ 6.6.122 6.6.x ✓ 6.12.67 6.12.x ✓ 6.18.7 6.18.x ✓ 6.19

References

The following references provide additional information about CVE-2025-71193 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/1ca52c0983c34fca506921791202ed5bdafd5306
Patch
Kernel patch commit
https://git.kernel.org/stable/c/4ac15caa27ff842b068a54f1c6a8ff8b31f658e7
Patch
Kernel patch commit
https://git.kernel.org/stable/c/beba460a299150b5d8dcbe3474a8f4bdf0205180
Patch

4 patch commits total View all on NVD

Frequently asked questions

What is CVE-2025-71193?

CVE-2025-71193 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 4.17 onward and has been patched in 6.6.122, 6.12.67, 6.18.7 and others. CVE-2025-71193 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-71193?

Yes — CVE-2025-71193 has been patched. Fixed versions include 6.6.122, 6.12.67, 6.18.7 and others. If you are running Linux kernel 4.17 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-71193 actively exploited?

No — CVE-2025-71193 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.