CVE-2025-21810
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
27/02/2025
Last modified:
28/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
driver core: class: Fix wild pointer dereferences in API class_dev_iter_next()<br />
<br />
There are a potential wild pointer dereferences issue regarding APIs<br />
class_dev_iter_(init|next|exit)(), as explained by below typical usage:<br />
<br />
// All members of @iter are wild pointers.<br />
struct class_dev_iter iter;<br />
<br />
// class_dev_iter_init(@iter, @class, ...) checks parameter @class for<br />
// potential class_to_subsys() error, and it returns void type and does<br />
// not initialize its output parameter @iter, so caller can not detect<br />
// the error and continues to invoke class_dev_iter_next(@iter) even if<br />
// @iter still contains wild pointers.<br />
class_dev_iter_init(&iter, ...);<br />
<br />
// Dereference these wild pointers in @iter here once suffer the error.<br />
while (dev = class_dev_iter_next(&iter)) { ... };<br />
<br />
// Also dereference these wild pointers here.<br />
class_dev_iter_exit(&iter);<br />
<br />
Actually, all callers of these APIs have such usage pattern in kernel tree.<br />
Fix by:<br />
- Initialize output parameter @iter by memset() in class_dev_iter_init()<br />
and give callers prompt by pr_crit() for the error.<br />
- Check if @iter is valid in class_dev_iter_next().
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.4 (including) | 6.6.76 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.13 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.13.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page