CVE-2025-21816: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21816 affects the Linux kernel's hrtimer (High-Resolution Timer) subsystem. The vulnerability was discovered and disclosed on February 27, 2025. The issue occurs when hrtimers are migrated away from a dying CPU to any online target at the CPUHP_AP_HRTIMERS_DYING stage. However, wakeups can still be performed by the outgoing CPU after CPUHP_AP_HRTIMERS_DYING, which can result in bandwidth timers being armed again (NVD).

The vulnerability stems from a race condition in the hrtimer subsystem. When a CPU is being taken offline, timers are migrated at the CPUHP_AP_HRTIMERS_DYING stage, but the dying CPU can still perform wakeups afterward. Depending on various factors (crystal ball power management based election, earliest timer already enqueued, timer migration enabled or not), the target may eventually be the current CPU even if offline, resulting in the timer being ignored (Kernel Git).

When the vulnerability is triggered, timers can be incorrectly queued on an offline CPU, leading to them being ignored. This particularly affects RCU (Read-Copy-Update) subsystem and other kernel components that rely on timers for proper operation. The issue can cause system instability and potential timing-related failures (Debian Tracker).

The issue has been fixed in the Linux kernel by modifying the hrtimers infrastructure to always migrate away a timer to an online target whenever it is enqueued from an offline CPU. This fix allows the removal of several workarounds that were previously implemented in the RCU subsystem. The fix is available in version 6.12.17-1 and later versions of the kernel (Debian Tracker).