CVE-2025-22084: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-22084 is a vulnerability discovered in the Linux kernel, specifically affecting the w1_uart_probe() function. The vulnerability was disclosed on April 16, 2025, and involves a NULL pointer dereference issue in the probe functionality (NVD, Red Hat CVE).

The vulnerability occurs when w1_uart_probe() calls w1_uart_serdev_open() (which includes devm_serdev_device_open()) before setting the client ops via serdev_device_set_client_ops(). This incorrect ordering can trigger a NULL pointer dereference in the serdev controller's receive_buf handler, as it assumes serdev->ops is valid when SERPORT_ACTIVE is set. The issue is similar to a previous race condition fixed in commit 5e700b384ec1. According to Red Hat's assessment, this vulnerability has been assigned a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat CVE).

The vulnerability can lead to a NULL pointer dereference in the Linux kernel, potentially causing system crashes or denial of service conditions. The impact is limited to local attacks with no compromise of confidentiality or integrity, but can affect system availability (Red Hat CVE).

The vulnerability has been fixed by ensuring client ops are set before enabling the port via w1_uart_serdev_open(). Various Linux distributions have released patches, including Debian which has fixed versions available in multiple releases: 6.12.25-1 for sid, 6.1.133-1 for bookworm, and 5.10.234-1 for bullseye (Debian Tracker).