CVE-2025-22095: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-22095 is a vulnerability in the Linux kernel's PCI subsystem, specifically in the Broadcom STB (brcmstb) driver, discovered and disclosed on April 16, 2025. The vulnerability affects the error handling path after a call to regulator_bulk_get() function (NVD Database, Debian Tracker).

The vulnerability occurs when regulator_bulk_get() returns an error and no regulators are created, but their number is not set to zero. If the PCIe link up fails in this state, a subsequent call to regulator_bulk_free() results in a kernel panic. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access required and potential high impact on availability (Red Hat CVE).

The primary impact of this vulnerability is system availability. When triggered, it can cause a kernel panic, leading to system crashes and potential denial of service. The vulnerability affects system stability but does not compromise confidentiality or integrity (Red Hat CVE).

The vulnerability has been fixed in various Linux distributions. Debian has addressed it in version 6.12.25-1 for sid, while some versions remain vulnerable. For Debian bullseye, the vulnerable code is not present. Red Hat Enterprise Linux versions 6, 7, 8, and 9 are not affected by this vulnerability (Debian Tracker).