CVE-2025-21919: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21919 is a vulnerability discovered in the Linux kernel's scheduler component, specifically in the childcfsrqonlist function. The vulnerability was disclosed on April 1, 2025, affecting Linux kernel versions from 5.16 up to (excluding) 6.1.131 (NVD).

The vulnerability stems from an invalid pointer conversion in the childcfsrqonlist function, where a 'prev' pointer to cfsrq can originate from struct rq's leafcfsrqlist. This conversion can lead to memory corruption depending on the relative positions of leafcfsrq_list and the task group pointer within the struct. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with high impact potential (NVD).

The vulnerability can cause memory faults or access to garbage data, potentially leading to unpredictable system behavior when the struct layout changes. While the current struct layout might not manifest the issue as an immediate crash, the potential for memory corruption poses significant risks to system stability and security (CVE).

The vulnerability has been fixed in multiple Linux distributions. Debian has released version 6.1.133-1 for the bookworm distribution, and version 6.12.22-1 for sid. The fix implements a check if (prev == &rq->leaf_cfs_rq_list) after the main conditional in childcfsrqonlist to ensure proper pointer conversion (Debian Security).