CVE-2025-21773: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21773 is a vulnerability discovered in the Linux kernel's ETAS ES58X CAN bus driver. The vulnerability was disclosed on February 26, 2025, and affects multiple versions of the Linux kernel from 6.2 through 6.13.4. The issue stems from the driver's assumption that es58x_dev->udev->serial could never be NULL (NVD).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) with a CVSS v3.1 Base Score of 5.5 (Medium). The issue occurs in the ETAS ES58X CAN bus driver where it incorrectly assumes that es58x_dev->udev->serial would always have a valid value. While this assumption holds true for commercially available devices, an attacker could potentially spoof the device identity by providing a NULL USB serial number, leading to a NULL pointer dereference (NVD, Kernel Patch).

The vulnerability could lead to a denial-of-service condition through kernel crash when an attacker provides a NULL USB serial number. The attack requires local access and low privileges to exploit (NVD).

The vulnerability has been patched in the Linux kernel by adding a check on es58x_dev->udev->serial before accessing it. The fix has been implemented across multiple kernel versions, including backports to stable branches. Users should update to patched kernel versions: 6.13.4 or later, 6.12.16 or later, or 6.6.79 or later (Kernel Patch).