CVE-2025-21810 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

driver core: class: Fix wild pointer dereferences in API class_dev_iter_next()

There are a potential wild pointer dereferences issue regarding APIs
class_dev_iter_(init|next|exit)(), as explained by below typical usage:

// All members of @iter are wild pointers.
struct class_dev_iter iter;

// class_dev_iter_init(@iter, @class, ...) checks parameter @class for
// potential class_to_subsys() error, and it returns void type and does
// not initialize its output parameter @iter, so caller can not detect
// the error and continues to invoke class_dev_iter_next(@iter) even if
// @iter still contains wild pointers.
class_dev_iter_init(&iter, ...);

// Dereference these wild pointers in @iter here once suffer the error.
while (dev = class_dev_iter_next(&iter)) { ... };

// Also dereference these wild pointers here.
class_dev_iter_exit(&iter);

Actually, all callers of these APIs have such usage pattern in kernel tree.
Fix by:
- Initialize output parameter @iter by memset() in class_dev_iter_init()
and give callers prompt by pr_crit() for the error.
- Check if @iter is valid in class_dev_iter_next().

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2025-5975	In the Linux kernel, the following vulnerability has been resolved: driver core: class: Fix wild pointer dereferences in API class_dev_iter_next() There are a potential wild pointer dereferences issue regarding APIs class_dev_iter_(init\|next\|exit)(), as explained by below typical usage: // All members of @iter are wild pointers. struct class_dev_iter iter; // class_dev_iter_init(@iter, @class, ...) checks parameter @class for // potential class_to_subsys() error, and it returns void type and does // not initialize its output parameter @iter, so caller can not detect // the error and continues to invoke class_dev_iter_next(@iter) even if // @iter still contains wild pointers. class_dev_iter_init(&iter, ...); // Dereference these wild pointers in @iter here once suffer the error. while (dev = class_dev_iter_next(&iter)) { ... }; // Also dereference these wild pointers here. class_dev_iter_exit(&iter); Actually, all callers of these APIs have such usage pattern in kernel tree. Fix by: - Initialize output parameter @iter by memset() in class_dev_iter_init() and give callers prompt by pr_crit() for the error. - Check if @iter is valid in class_dev_iter_next().
Ubuntu USN	USN-7521-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7521-2	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7521-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7651-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7651-2	Linux kernel vulnerabilities
Ubuntu USN	USN-7651-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7651-4	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-7651-5	Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN	USN-7651-6	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7652-1	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7653-1	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-7737-1	Linux kernel (Azure) vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/1614e75d1a1b63db6421c7a4bf37004720c7376c
https://git.kernel.org/stable/c/5c504e9767b947cf7d4e29b811c0c8b3c53242b7
https://git.kernel.org/stable/c/e128f82f7006991c99a58114f70ef61e937b1ac1
https://git.kernel.org/stable/c/f4b9bc823b0cfdebfed479c0e87d6939c7562e87
https://lore.kernel.org/linux-cve-announce/2025022754-CVE-2025-21810-0c14@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-21810
https://www.cve.org/CVERecord?id=CVE-2025-21810

History

Tue, 28 Oct 2025 03:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
Weaknesses		CWE-476
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel

Wed, 02 Apr 2025 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20

Fri, 28 Feb 2025 14:45:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025022754-CVE-2025-21810-0c14@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-21810 https://www.cve.org/CVERecord?id=CVE-2025-21810
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Thu, 27 Feb 2025 20:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: driver core: class: Fix wild pointer dereferences in API class_dev_iter_next() There are a potential wild pointer dereferences issue regarding APIs class_dev_iter_(init\|next\|exit)(), as explained by below typical usage: // All members of @iter are wild pointers. struct class_dev_iter iter; // class_dev_iter_init(@iter, @class, ...) checks parameter @class for // potential class_to_subsys() error, and it returns void type and does // not initialize its output parameter @iter, so caller can not detect // the error and continues to invoke class_dev_iter_next(@iter) even if // @iter still contains wild pointers. class_dev_iter_init(&iter, ...); // Dereference these wild pointers in @iter here once suffer the error. while (dev = class_dev_iter_next(&iter)) { ... }; // Also dereference these wild pointers here. class_dev_iter_exit(&iter); Actually, all callers of these APIs have such usage pattern in kernel tree. Fix by: - Initialize output parameter @iter by memset() in class_dev_iter_init() and give callers prompt by pr_crit() for the error. - Check if @iter is valid in class_dev_iter_next().
Title		driver core: class: Fix wild pointer dereferences in API class_dev_iter_next()
References		https://git.kernel.org/stable/c/1614e75d1a1b63db6421c7a4bf37004720c7376c https://git.kernel.org/stable/c/5c504e9767b947cf7d4e29b811c0c8b3c53242b7 https://git.kernel.org/stable/c/e128f82f7006991c99a58114f70ef61e937b1ac1 https://git.kernel.org/stable/c/f4b9bc823b0cfdebfed479c0e87d6939c7562e87

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-02-27T20:01:01.630Z

Updated: 2025-05-04T07:21:40.730Z

Reserved: 2024-12-29T08:45:45.772Z

Link: CVE-2025-21810

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2025-02-27T20:16:03.587

Modified: 2025-10-28T02:55:12.300

Link: CVE-2025-21810

Redhat

Severity : Low

Publid Date: 2025-02-27T00:00:00Z

Links: CVE-2025-21810 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object