Login Sign Up

CVE-2025-21838

5.5 MEDIUM

📋 TL;DR

This CVE describes a race condition in the Linux kernel's USB gadget subsystem where work scheduled during device removal isn't properly cleaned up. This could lead to use-after-free conditions or kernel crashes. Systems using USB gadget functionality (like USB gadget drivers for embedded devices) are affected.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected kernel versions not specified in CVE, but patches exist for stable branches.
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with USB gadget functionality enabled (CONFIG_USB_GADGET). Common in embedded systems, development boards, and some server configurations.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic or system crash leading to denial of service, or potential privilege escalation if combined with other vulnerabilities.

🟠

Likely Case

System instability or kernel crash when USB gadget devices are removed, causing denial of service.

🟢

If Mitigated

Minor system instability that requires physical access or privileged user interaction to trigger.

🌐 Internet-Facing: LOW - Requires local access or physical USB device interaction.
🏢 Internal Only: MEDIUM - Could affect systems with USB gadget functionality used by privileged users or automated processes.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and ability to trigger USB gadget device removal. Likely requires root privileges to access USB gadget functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in Linux kernel stable releases via commits referenced in CVE

Vendor Advisory: https://git.kernel.org/stable/c/399a45e5237ca14037120b1b895bd38a3b4492ea

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix. 2. Check your distribution's security advisories for specific patched versions. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Disable USB gadget functionality

linux

Remove USB gadget kernel module if not needed

rmmod g_ether
rmmod g_serial
rmmod g_mass_storage
# Remove other USB gadget modules as needed

Blacklist USB gadget modules

linux

Prevent USB gadget modules from loading

echo 'blacklist g_ether' >> /etc/modprobe.d/blacklist-usb-gadget.conf
echo 'blacklist g_serial' >> /etc/modprobe.d/blacklist-usb-gadget.conf
# Add other USB gadget modules as needed

🧯 If You Can't Patch

  • Restrict physical access to USB ports
  • Limit users who can load/unload USB gadget kernel modules

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if USB gadget modules are loaded: lsmod | grep -E 'g_|dwc3|udc'

Check Version:

uname -r

Verify Fix Applied:

Check kernel version contains patched commits or is newer than affected versions

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages in /var/log/kern.log or dmesg
  • USB gadget related errors or crashes
  • System crashes during USB device removal

Network Indicators:

  • None - local vulnerability only

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "BUG") AND ("usb" OR "gadget" OR "dwc3")

📊 Metadata

CVE ID: CVE-2025-21838
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score: 0.05% exploit probability (15.8th percentile)
Published: March 7, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON