CVE-2025-21676: 
Linux Kernel vulnerability analysis and mitigation

A NULL pointer dereference vulnerability has been identified in the Linux kernel's Fast Ethernet Controller (FEC) driver. The issue (CVE-2025-21676) was discovered in the fecenetupdatecbd function, which failed to properly handle cases where pagepooldevalloc_pages returns NULL. The vulnerability affects Linux kernel versions from 6.1 up to (excluding) 6.6.74, from 6.7 up to (excluding) 6.12.11, and release candidates 6.13-rc1 through 6.13-rc7 (NVD).

The vulnerability exists in the fecenetupdatecbd function within the FEC driver. When under memory pressure, pagepooldevallocpages can return NULL, but the function only had a WARNON(!new_page) check and would proceed to use the NULL pointer, leading to a crash. This scenario was particularly reproducible when writing over an SMB share to a SATA HDD attached to an imx6q device. The issue stems from the driver ignoring the memory allocation error and attempting to continue operation with a NULL pointer (Kernel Patch).

The vulnerability can lead to a system crash (denial of service) when the system is under memory pressure. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required and the primary impact is to system availability (NVD).

A patch has been released that handles the allocation error by dropping the current packet when pagepooldevallocpages returns NULL. As a temporary workaround before applying the patch, administrators can increase the value of /proc/sys/vm/minfreekbytes. The fix has been incorporated into various kernel versions, with some distributions already having patched versions available (Kernel Patch).