CVE-2025-21859
📋 TL;DR
A race condition in the Linux kernel's USB MIDI gadget driver can cause a deadlock when USB MIDI functionality is used. This affects systems using USB gadget mode with MIDI support, potentially causing denial of service. The vulnerability requires local access to trigger.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel deadlock leading to system freeze or crash requiring hard reboot, causing denial of service on affected systems.
Likely Case
Local denial of service when USB MIDI gadget functionality is actively used, potentially freezing the affected USB gadget interface.
If Mitigated
Minimal impact if USB gadget mode with MIDI support is not enabled or used.
🎯 Exploit Status
Requires local access and ability to trigger USB MIDI gadget operations. Exploitation would cause denial of service rather than privilege escalation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple stable kernel versions with fixes: 1f10923404705a94891e612dff3b75e828a78368, 24a942610ee9bafb2692a456ae850c5b2e409b05, 4ab37fcb42832cdd3e9d5e50653285ca84d6686f, 727dee0857946b85232526de4f5a957fe163e89a, 8aa6b4be1f4efccbfc533e6ec8841d26e4fa8dba
Vendor Advisory: https://git.kernel.org/stable/c/1f10923404705a94891e612dff3b75e828a78368
Restart Required: Yes
Instructions:
1. Update to a patched kernel version from your distribution's repositories. 2. Reboot the system to load the new kernel. 3. Verify the fix is applied by checking kernel version or confirming USB MIDI gadget functionality works without deadlocks.
🔧 Temporary Workarounds
Disable USB MIDI gadget support
linuxDisable the vulnerable USB MIDI gadget module if not needed
echo 'blacklist g_midi' >> /etc/modprobe.d/blacklist.conf
rmmod g_midi 2>/dev/null || true
Disable USB gadget functionality
linuxCompletely disable USB gadget support if not required
echo 'blacklist usb_f_midi' >> /etc/modprobe.d/blacklist.conf
rmmod usb_f_midi 2>/dev/null || true
🧯 If You Can't Patch
- Disable USB gadget mode with MIDI support via kernel configuration or module blacklisting
- Restrict local access to systems where USB gadget functionality is required
🔍 How to Verify
Check if Vulnerable:
Check if USB MIDI gadget module is loaded: lsmod | grep -E 'g_midi|usb_f_midi'Check Version:
uname -rVerify Fix Applied:
Check kernel version against patched versions from distribution vendor, or test USB MIDI gadget functionality for deadlocks📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- System freeze/crash logs
- USB gadget related error messages in dmesg
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("deadlock" OR "USB MIDI" OR "f_midi" OR "g_midi")🔗 References
- https://git.kernel.org/stable/c/1f10923404705a94891e612dff3b75e828a78368
- https://git.kernel.org/stable/c/24a942610ee9bafb2692a456ae850c5b2e409b05
- https://git.kernel.org/stable/c/4ab37fcb42832cdd3e9d5e50653285ca84d6686f
- https://git.kernel.org/stable/c/727dee0857946b85232526de4f5a957fe163e89a
- https://git.kernel.org/stable/c/8aa6b4be1f4efccbfc533e6ec8841d26e4fa8dba
- https://git.kernel.org/stable/c/b09957657d7767d164b3432af2129bd72947553c
- https://git.kernel.org/stable/c/deeee3adb2c01eedab32c3b4519337689ad02e8a
- https://git.kernel.org/stable/c/e9fec6f42c45db2f62dc373fb1a10d2488c04e79
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
