CVE-2025-21998

In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: uefisecapp: fix efivars registration race Since the conversion to using the TZ allocator, the efivars service is registered before the memory pool has been allocated, something which can lead to a NULL-pointer dereference in case of a racing EFI variable access. Make sure that all resources have been set up before registering the efivars.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/c4e37b381a7a243c298a4858fc0a5a74e737c79a	Patch
https://git.kernel.org/stable/c/da8d493a80993972c427002684d0742560f3be4a	Patch
https://git.kernel.org/stable/c/f15a2b96a0e41c426c63a932d0e63cde7b9784aa	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc7::::::

History

No history.

Information

Published : 2025-04-03 08:15

Updated : 2025-10-01 18:15

NVD link : CVE-2025-21998

Mitre link : CVE-2025-21998

CVE.ORG link : CVE-2025-21998

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-476

NULL Pointer Dereference

{"id": "CVE-2025-21998", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2025-04-03T08:15:15.243", "references": [{"url": "https://git.kernel.org/stable/c/c4e37b381a7a243c298a4858fc0a5a74e737c79a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/da8d493a80993972c427002684d0742560f3be4a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f15a2b96a0e41c426c63a932d0e63cde7b9784aa", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-367"}, {"lang": "en", "value": "CWE-476"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: uefisecapp: fix efivars registration race\n\nSince the conversion to using the TZ allocator, the efivars service is\nregistered before the memory pool has been allocated, something which\ncan lead to a NULL-pointer dereference in case of a racing EFI variable\naccess.\n\nMake sure that all resources have been set up before registering the\nefivars."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: firmware: qcom: uefisecapp: correcci\u00f3n de la ejecuci\u00f3n de registro de efivars. Desde la conversi\u00f3n al uso del asignador TZ, el servicio efivars se registra antes de asignar el pool de memoria, lo que puede provocar una desreferencia de puntero nulo en caso de un acceso a variable EFI en ejecuci\u00f3n. Aseg\u00farese de que todos los recursos est\u00e9n configurados antes de registrar las efivars."}], "lastModified": "2025-10-01T18:15:42.783", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "526713EC-733E-4163-BEC2-8DC94D735FDB", "versionEndExcluding": "6.12.21", "versionStartIncluding": "6.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FAECBE4D-58CF-4836-BBAB-5E28B800A778", "versionEndExcluding": "6.13.9", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45B90F6B-BEC7-4D4E-883A-9DBADE021750"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1759FFB7-531C-41B1-9AE1-FD3D80E0D920"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AD948719-8628-4421-A340-1066314BBD4A"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}