CVE-2025-21966: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21966 is a memory corruption vulnerability discovered in the Linux kernel's dm-flakey feature, specifically in the optional corruptbiobyte functionality. The vulnerability was disclosed on April 1, 2025, affecting Linux kernel versions from 6.5 up to 6.6.84, as well as the 6.14 release candidates (NVD, CVE).

The vulnerability is classified as an Out-of-bounds Write (CWE-787) issue, caused by an incorrect parameter being passed to bio_init in the dm-flakey component. The vulnerability has received a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with low attack complexity (NVD).

The vulnerability can lead to memory corruption in the Linux kernel when the corruptbiobyte feature is enabled in dm-flakey. Given the CVSS scoring, successful exploitation could result in high impacts on confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability has been fixed in various Linux distributions. Debian has marked the issue as fixed in multiple releases including bullseye (5.10.234-1), bookworm (6.1.133-1), trixie (6.12.21-1), and sid (6.12.22-1) (Debian Tracker).