CVE-2025-21672: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21672 is a vulnerability discovered in the Linux kernel's AFS (Andrew File System) module, specifically in the afs_proc_addr_prefs_write function. The vulnerability was discovered and reported by syzbot on January 31, 2025. It affects Linux kernel versions prior to 6.12.11 and various release candidates of version 6.13 (rc1 through rc6) (NVD).

The vulnerability stems from improper lock handling in the afs_proc_addr_prefs_write function within the AFS module. When processing address preferences, if the argc parameter becomes less than 0, the function returns directly without releasing an acquired inode lock. This results in a lock being held when returning to userspace. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and is classified as CWE-667 (Improper Locking) (NVD, Kernel Patch).

The primary impact of this vulnerability is a potential denial-of-service condition. When the vulnerability is triggered, the inode lock remains held indefinitely, which can block other processes that require access to the same file or resource. This can lead to system hangs, unresponsive applications, and degraded system performance (SecMaster).

The vulnerability has been fixed in Linux kernel version 6.12.11 and later. The fix involves modifying the afs_proc_addr_prefs_write function to store the error in a return variable and jump to a cleanup section instead of returning directly, ensuring proper release of the held lock. For systems that cannot immediately upgrade, a potential workaround is to disable the AFS module if it's not critical for system operation (Kernel Patch, SecMaster).