API Misuse in Linux Kernel Affects Device Registration Process
CVE-2025-21934

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 1 April 2025

Summary

A vulnerability has been identified in the Linux kernel related to improper handling during the device registration process. Specifically, the use of the rio_add_net() function can lead to critical errors when it calls device_register(). In scenarios where device registration fails, proper memory management is crucial; however, the function incorrectly uses kfree() instead of put_device(). This oversight can result in memory leaks or, more seriously, a use-after-free scenario if the associated device pointer is not properly cleared. Addressing this issue involves ensuring that 'mport->net' is set to NULL following a failed registration to maintain system integrity and stability.

Affected Version(s)

Linux e8de370188d098bb49483c287b44925957c3c9b6

Linux e8de370188d098bb49483c287b44925957c3c9b6 < 88ddad53e4cfb6de861c6d4fb7b25427f46baed5

Linux e8de370188d098bb49483c287b44925957c3c9b6

References

https://git.kernel.org/stable/c/d4ec862ce80f64db923a1d942...

https://git.kernel.org/stable/c/88ddad53e4cfb6de861c6d4fb...

https://git.kernel.org/stable/c/cdd9f58f7fe41a55fae4305ea...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 1, 2025
Vulnerability Reserved
Dec 29, 2024