CVE-2025-21749: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21749 is a vulnerability in the Linux kernel's ROSE protocol implementation, specifically in the socket binding functionality. The vulnerability was discovered and reported by syzbot on February 26, 2025. The issue affects Linux kernel versions from 2.6.12-rc2 up to versions prior to 6.13.3, 6.6.78, and 6.12.14 (NVD).

The vulnerability stems from a race condition in the rose_bind() function where multiple threads can simultaneously call bind(), leading to a soft lockup in rose_loopback_timer(). The issue occurs due to missing socket locking mechanism in the rose_bind() function. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access required and potential impact on system availability (NVD).

The primary impact of this vulnerability is a potential system availability issue. When exploited, it can cause a soft lockup in the kernel's rose_loopback_timer(), which could lead to system unresponsiveness. The vulnerability affects system availability but does not impact confidentiality or integrity (NVD).

The vulnerability has been patched in the Linux kernel by adding proper socket locking in the rose_bind() function. The fix involves using lock_sock(sk) before performing socket operations and release_sock(sk) afterward. Users should upgrade to Linux kernel versions 6.13.3, 6.6.78, or 6.12.14 or later, depending on their kernel branch (NVD).