CVE-2025-21981: 
Linux Kernel vulnerability analysis and mitigation

A memory leak vulnerability (CVE-2025-21981) was discovered in the Linux kernel's ice driver, specifically in the accelerated Receive Flow Steering (aRFS) functionality. The vulnerability was disclosed on April 1, 2025, affecting Linux kernel versions from 5.8 up to versions before 6.1.132, 6.2 to before 6.6.84, 6.7 to before 6.12.20, and 6.13 to before 6.13.8 (NVD).

The vulnerability occurs during VSI reconfiguration executed during reset, where aRFS memory is allocated multiple times without properly releasing previously allocated resources. aRFS objects are allocated in two cases: during VSI initialization at probe and during reset handling. The issue manifests as an unreferenced object of size 8192 bytes, which can be detected using the kernel's memory leak detector (NVD). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability results in a memory leak in the Linux kernel's ice driver, which could lead to resource exhaustion and potential system instability over time. While the vulnerability does not allow for information disclosure or system compromise, it can affect system availability through continuous memory consumption (NVD).

The vulnerability has been fixed in Linux kernel version 6.1.133-1 for the Debian stable distribution (bookworm) and other corresponding versions. Users are recommended to upgrade their Linux kernel packages to the patched versions (Debian Security).