CVE-2025-21859: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21859 is a vulnerability in the Linux kernel's USB MIDI gadget driver discovered in March 2025. The vulnerability affects multiple versions of the Linux kernel, including versions from 3.2 to 6.14-rc3. The issue occurs in the USB gadget MIDI function driver where a lock is attempted to be acquired twice through a re-entrant call to fmiditransmit, potentially causing a deadlock condition (NVD).

The vulnerability is classified as CWE-667 (Improper Locking) with a CVSS v3.1 Base Score of 5.5 (Medium). The technical issue involves a deadlock condition in the fmidicomplete function where a lock is acquired twice during USB MIDI operations through a re-entrant call to fmiditransmit. The vulnerability affects the Linux kernel's USB gadget MIDI function driver implementation (NVD, Kernel Patch).

The vulnerability can result in a deadlock condition when using USB MIDI devices, potentially causing system unavailability or hanging of the USB MIDI functionality. The impact is limited to local systems using the USB MIDI gadget driver, with no remote exploitation vectors identified (NVD).

The vulnerability has been fixed by modifying the fmidicomplete function to use queuework() instead of directly calling fmiditransmit. The fix schedules the inner fmidi_transmit() via a high priority work queue from the completion handler, preventing the deadlock condition. The patch has been integrated into various kernel versions (Kernel Patch).