CVE-2025-21693: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21693 affects the Linux kernel's zswap compression functionality. The vulnerability was discovered in February 2025 and involves improper synchronization of resource freeing during CPU hotunplug operations. The issue specifically affects the zswap compression/decompression operations when using the crypto_acomp API for hardware acceleration (NVD, Kernel Commit).

The vulnerability stems from a race condition in zswapcompress() and zswapdecompress() functions where the per-CPU acompctx is retrieved and used without proper preemption or migration controls. If the original CPU is hotunplugged while the acompctx is still in use, it leads to a Use-After-Free (UAF) bug as resources attached to the acompctx are freed during hotunplug in zswapcpucompdead(). The issue was introduced when switching to the crypto_acomp API for hardware acceleration. The CVSS v3.1 base score is 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to a Use-After-Free condition when CPU hotunplug operations occur during zswap compression/decompression operations. This could potentially result in system crashes, memory corruption, or privilege escalation in the Linux kernel (NVD).

The issue has been fixed by implementing proper synchronization using acompctx.mutex to coordinate CPU hotplug callbacks and compression/decompression paths. The fix ensures that acompctx.req is NULL when resources are freed and adds retry mechanisms when a CPU is offlined. The patch has been merged into the Linux kernel mainline (Kernel Commit).