CVE-2025-21774: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-21774 was disclosed on February 26, 2025, affecting the Linux kernel. The vulnerability is related to a NULL pointer check issue in the rkcanfdhandlerxfifooverflow_int() function of the Rockchip CAN-FD controller driver. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) (NVD).

The vulnerability exists in the Linux kernel's Rockchip CAN-FD controller driver where there was an incorrect NULL pointer check in the rkcanfdhandlerxfifooverflow_int() function. Specifically, the function failed to properly bail out if a socket buffer (skb) could not be allocated. The issue was introduced in the commit that added the Rockchip CAN-FD controller driver. The vulnerability has been classified as CWE-476 (NULL Pointer Dereference) (NVD).

The vulnerability could lead to a NULL pointer dereference in the Linux kernel when handling CAN-FD controller operations, potentially causing a denial of service condition through kernel crashes (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that corrects the NULL pointer check in rkcanfdhandlerxfifooverflow_int() to properly bail out if skb cannot be allocated. The fix has been applied to affected versions including Linux kernel 6.12 through 6.12.16 and 6.13 through 6.13.4 (Kernel Patch).