CVE-2025-21906: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21906 affects the Linux kernel's iwlwifi driver component. The vulnerability was discovered and disclosed on April 1, 2025, and involves an issue with the ROC (Remain On Channel) cleanup functionality in the iwlwifi driver. The vulnerability specifically affects the mvm (modular virtual machine) component of the iwlwifi driver (NVD, CVE).

The vulnerability occurs when the firmware fails to start session protection. In this scenario, while iwl_mvm_roc_finished() is called, it becomes ineffective because the IWL_MVM_STATUS_ROC_P2P_RUNNING status flag was never set. This leads to a condition where the link remains active when it should have been deactivated, ultimately triggering a WARN_ON() during a fresh remain-on-channel operation (NVD).

The impact of this vulnerability is primarily operational, as it can lead to system warnings and potential driver instability when using the affected iwlwifi driver. When exploited, it causes the link to remain incorrectly active during remain-on-channel operations, which can affect the normal functioning of the wireless interface (NVD).

The issue has been resolved in the Linux kernel by setting IWL_MVM_STATUS_ROC_P2P_RUNNING in the failure/stop path. This ensures proper cleanup regardless of whether the session started successfully or failed to start. The fix ensures that the link status is properly managed in all scenarios (NVD).