CVE-2025-22050: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-22050 is a vulnerability discovered in the Linux kernel, specifically in the usbnet driver component. The vulnerability was disclosed on April 16, 2025, affecting various Linux distributions. The issue stems from a missing usbnet_going_away check in a critical path of the USB networking subsystem (NVD, Debian).

The vulnerability arises from an inconsistency where the usb_submit_urb function lacks a usbnet_going_away validation, while __usbnet_queue_skb includes this check. This creates a race condition scenario where a URB request may succeed but the corresponding SKB data fails to be queued. The issue has been assigned a CVSS v3.1 base score of 5.5 (Moderate) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and is classified as CWE-476 (Red Hat).

When exploited, this vulnerability can lead to subsequent processes (such as rx_complete → defer_bh → __skb_unlink(skb, list)) attempting to access skb->next, which triggers a NULL pointer dereference resulting in a Kernel Panic. This can cause system instability and potential denial of service (NVD).

The vulnerability has been fixed in various Linux kernel versions. Debian has addressed this in version 6.12.25-1 for sid, while it remains vulnerable in some distributions like bookworm (6.1.129-1). Red Hat Enterprise Linux 8 is not affected, while RHEL 9 has deferred the fix (Debian, Red Hat).