CVE-2025-21666: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21666 is a vulnerability in the Linux kernel's vsock (Virtual Socket) subsystem, discovered and disclosed on January 31, 2025. The vulnerability affects Linux kernel versions from 5.5 through 6.13-rc7, where a null pointer dereference can occur in the vsock*[hasdata|has_space] functions when a vsock socket has been de-assigned from a transport (NVD).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) with a CVSS v3.1 Base Score of 5.5 (Medium), and vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The issue occurs when vsock*has_data() is called on a vsock socket that has been de-assigned from a transport, leading to potential null pointer dereference (NVD, RedHat).

The vulnerability can lead to a denial of service condition through system crashes when the null pointer dereference is triggered. The CVSS scoring indicates that while there is no impact on confidentiality or integrity, there is a high impact on availability (NVD).

The vulnerability has been patched in the Linux kernel. The fix implements a check that returns 0 (no space, no data available) with a warning when a transport is not assigned, preventing the null pointer dereference while maintaining a consistent state. The fix is available in updated kernel versions, and affected distributions like Debian have released security updates (version 6.1.128-1) (Kernel Patch).