CVE-2025-21904: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21904 is a vulnerability in the Linux kernel's caifvirtio component, discovered and disclosed on April 1, 2025. The vulnerability affects multiple versions of the Linux kernel, from version 3.10 up to versions 6.14-rc5, involving an incorrect pointer check in the cfvprobe() function (NVD).

The vulnerability stems from a NULL pointer dereference issue in the caifvirtio component. Specifically, the delvqs() function frees virtqueues, but the code incorrectly checks cfv->vdev for NULL instead of cfv->vq_tx before calling it. The implementation is redundant because the pointer cfv->vdev is dereferenced before being checked for NULL. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and is classified as CWE-476 (NULL Pointer Dereference) (NVD).

The vulnerability can lead to high availability impact on affected systems, though it requires local access and low privileges to exploit. The CVSS metrics indicate no impact on confidentiality or integrity, but a high impact on system availability (NVD).

The vulnerability has been fixed in various Linux kernel versions. The fix involves modifying the pointer check to verify cfv->vqtx for NULL instead of cfv->vdev before calling delvqs(). Updated versions include 6.1.133-1 for Debian bookworm and 6.12.21-1 for Debian trixie (Debian).