#VU106731 NULL pointer dereference in Linux kernel - CVE-2025-21917
Vulnerability identifier: #VU106731
Vulnerability risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-476
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the usbhs_remove() function in drivers/usb/renesas_usbhs/common.c. A local user can perform a denial of service (DoS) attack.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Linux kernel: 6.12, 6.12.1, 6.12.2, 6.12.3, 6.12.4, 6.12.5, 6.12.6, 6.12.7, 6.12.8, 6.12.9, 6.12.10, 6.12.11, 6.12.12, 6.12.13, 6.12.14, 6.12.15, 6.12.16, 6.12.17, 6.12.18
External links
https://git.kernel.org/stable/c/3248c1f833f924246cb98ce7da4569133c1b2292
https://git.kernel.org/stable/c/394965f90454d6f00fe11879142b720c6c1a872e
https://git.kernel.org/stable/c/4ca078084cdd5f32d533311d6a0b63a60dcadd41
https://git.kernel.org/stable/c/4cd847a7b630a85493d0294ad9542c21aafaa246
https://git.kernel.org/stable/c/552ca6b87e3778f3dd5b87842f95138162e16c82
https://git.kernel.org/stable/c/830818c8e70c0364e377f0c243b28061ef7967eb
https://git.kernel.org/stable/c/d50f5c0cd949593eb9a3d822b34d7b50046a06b7
https://git.kernel.org/stable/c/e5aac1c9b2974636db7ce796ffa6de88fa08335e
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.19
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
