CVE-2025-21688: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Assign job pointer to NULL before signaling the fence In commit e4b5ccd392b9 ("drm/v3d: Ensure job pointer is set to NULL after job completion"), we introduced a change to assign the job pointer to NULL after completing a job, indicating job completion. However, this approach created a race condition between the DRM scheduler workqueue and the IRQ execution thread. As soon as the fence is signaled in the IRQ execution thread, a new job starts to be executed. This results in a race condition where the IRQ execution thread sets the job pointer to NULL simultaneously as the `run_job()` function assigns a new job to the pointer. This race condition can lead to a NULL pointer dereference if the IRQ execution thread sets the job pointer to NULL after `run_job()` assigns it to the new job. When the new job completes and the GPU emits an interrupt, `v3d_irq()` is triggered, potentially causing a crash. [ 466.310099] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 466.318928] Mem abort info: [ 466.321723] ESR = 0x0000000096000005 [ 466.325479] EC = 0x25: DABT (current EL), IL = 32 bits [ 466.330807] SET = 0, FnV = 0 [ 466.333864] EA = 0, S1PTW = 0 [ 466.337010] FSC = 0x05: level 1 translation fault [ 466.341900] Data abort info: [ 466.344783] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 466.350285] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 466.355350] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 466.360677] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000089772000 [ 466.367140] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 466.375875] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 466.382163] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device algif_hash algif_skcipher af_alg bnep binfmt_misc vc4 snd_soc_hdmi_codec drm_display_helper cec brcmfmac_wcc spidev rpivid_hevc(C) drm_client_lib brcmfmac hci_uart drm_dma_helper pisp_be btbcm brcmutil snd_soc_core aes_ce_blk v4l2_mem2mem bluetooth aes_ce_cipher snd_compress videobuf2_dma_contig ghash_ce cfg80211 gf128mul snd_pcm_dmaengine videobuf2_memops ecdh_generic sha2_ce ecc videobuf2_v4l2 snd_pcm v3d sha256_arm64 rfkill videodev snd_timer sha1_ce libaes gpu_sched snd videobuf2_common sha1_generic drm_shmem_helper mc rp1_pio drm_kms_helper raspberrypi_hwmon spi_bcm2835 gpio_keys i2c_brcmstb rp1 raspberrypi_gpiomem rp1_mailbox rp1_adc nvmem_rmem uio_pdrv_genirq uio i2c_dev drm ledtrig_pattern drm_panel_orientation_quirks backlight fuse dm_mod ip_tables x_tables ipv6 [ 466.458429] CPU: 0 UID: 1000 PID: 2008 Comm: chromium Tainted: G C 6.13.0-v8+ #18 [ 466.467336] Tainted: [C]=CRAP [ 466.470306] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) [ 466.476157] pstate: 404000c9 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 466.483143] pc : v3d_irq+0x118/0x2e0 [v3d] [ 466.487258] lr : __handle_irq_event_percpu+0x60/0x228 [ 466.492327] sp : ffffffc080003ea0 [ 466.495646] x29: ffffffc080003ea0 x28: ffffff80c0c94200 x27: 0000000000000000 [ 466.502807] x26: ffffffd08dd81d7b x25: ffffff80c0c94200 x24: ffffff8003bdc200 [ 466.509969] x23: 0000000000000001 x22: 00000000000000a7 x21: 0000000000000000 [ 466.517130] x20: ffffff8041bb0000 x19: 0000000000000001 x18: 0000000000000000 [ 466.524291] x17: ffffffafadfb0000 x16: ffffffc080000000 x15: 0000000000000000 [ 466.531452] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 466.538613] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffffd08c527eb0 [ 466.545777] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 [ 466.552941] x5 : ffffffd08c4100d0 x4 : ffffffafadfb0000 x3 : ffffffc080003f70 [ 466.560102] x2 : ffffffc0829e8058 x1 : 0000000000000001 x0 : 0000000000000000 [ 466.567263] Call trace: [ 466.569711] v3d_irq+0x118/0x2e0 [v3d] (P) [ 466. ---truncated---
AI Analysis
Technical Summary
CVE-2025-21688 is a race condition vulnerability in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically within the v3d driver used for GPU job scheduling on certain hardware platforms such as the Raspberry Pi 5. The flaw arises from improper synchronization between the DRM scheduler workqueue and the interrupt request (IRQ) execution thread. After a GPU job completes, the IRQ thread signals a fence and sets the job pointer to NULL to indicate completion. However, a race condition occurs when the IRQ thread sets the job pointer to NULL simultaneously as the run_job() function assigns a new job to this pointer. This timing conflict can lead to a NULL pointer dereference when the IRQ handler (v3d_irq) is triggered by a GPU interrupt, causing a kernel crash (kernel oops). The vulnerability is rooted in a recent code change (commit e4b5ccd392b9) intended to improve job pointer handling but inadvertently introduced this race condition. The kernel crash logs indicate a level 1 translation fault due to the NULL pointer dereference, which can lead to system instability or denial of service. This vulnerability affects multiple Linux kernel versions containing the specified commits, particularly on ARM64 architectures running on devices like the Raspberry Pi 5. There is no evidence of active exploitation in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2025-21688 primarily involves potential denial of service (DoS) conditions on systems running vulnerable Linux kernel versions with the v3d DRM driver enabled. This is particularly relevant for organizations deploying ARM64-based embedded systems, IoT devices, or edge computing nodes that utilize Raspberry Pi 5 or similar hardware for operational technology, development, or specialized computing tasks. A kernel crash triggered by this vulnerability could disrupt critical services, cause system reboots, or lead to data loss if the system is used in production environments. While this vulnerability does not directly enable privilege escalation or remote code execution, the resulting instability could be exploited by attackers to cause persistent outages or to facilitate further attacks by forcing system restarts. European sectors relying on embedded Linux devices for industrial control, digital signage, or network infrastructure could face operational interruptions. Additionally, organizations involved in software development or testing on affected platforms may experience productivity losses due to system crashes.
Mitigation Recommendations
To mitigate CVE-2025-21688, European organizations should: 1) Immediately apply the official Linux kernel patches that address the race condition in the v3d DRM driver once they become available from trusted sources such as the Linux kernel maintainers or distribution vendors. 2) For systems where patching is delayed, consider disabling the v3d DRM driver if it is not essential to operations, thereby reducing the attack surface. 3) Implement kernel crash monitoring and automated recovery mechanisms to minimize downtime caused by unexpected kernel oops events. 4) Conduct thorough testing of updated kernel versions in staging environments to ensure stability before deployment in production. 5) Maintain strict control over software updates and verify kernel versions on ARM64 devices to ensure they are not running vulnerable builds. 6) For critical infrastructure, deploy redundant systems or failover strategies to mitigate the impact of potential DoS conditions. 7) Engage with hardware and software vendors to confirm support and timely patch availability for affected devices.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden, Finland, Norway, Denmark, Ireland
CVE-2025-21688: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Assign job pointer to NULL before signaling the fence In commit e4b5ccd392b9 ("drm/v3d: Ensure job pointer is set to NULL after job completion"), we introduced a change to assign the job pointer to NULL after completing a job, indicating job completion. However, this approach created a race condition between the DRM scheduler workqueue and the IRQ execution thread. As soon as the fence is signaled in the IRQ execution thread, a new job starts to be executed. This results in a race condition where the IRQ execution thread sets the job pointer to NULL simultaneously as the `run_job()` function assigns a new job to the pointer. This race condition can lead to a NULL pointer dereference if the IRQ execution thread sets the job pointer to NULL after `run_job()` assigns it to the new job. When the new job completes and the GPU emits an interrupt, `v3d_irq()` is triggered, potentially causing a crash. [ 466.310099] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 466.318928] Mem abort info: [ 466.321723] ESR = 0x0000000096000005 [ 466.325479] EC = 0x25: DABT (current EL), IL = 32 bits [ 466.330807] SET = 0, FnV = 0 [ 466.333864] EA = 0, S1PTW = 0 [ 466.337010] FSC = 0x05: level 1 translation fault [ 466.341900] Data abort info: [ 466.344783] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 466.350285] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 466.355350] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 466.360677] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000089772000 [ 466.367140] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 466.375875] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 466.382163] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device algif_hash algif_skcipher af_alg bnep binfmt_misc vc4 snd_soc_hdmi_codec drm_display_helper cec brcmfmac_wcc spidev rpivid_hevc(C) drm_client_lib brcmfmac hci_uart drm_dma_helper pisp_be btbcm brcmutil snd_soc_core aes_ce_blk v4l2_mem2mem bluetooth aes_ce_cipher snd_compress videobuf2_dma_contig ghash_ce cfg80211 gf128mul snd_pcm_dmaengine videobuf2_memops ecdh_generic sha2_ce ecc videobuf2_v4l2 snd_pcm v3d sha256_arm64 rfkill videodev snd_timer sha1_ce libaes gpu_sched snd videobuf2_common sha1_generic drm_shmem_helper mc rp1_pio drm_kms_helper raspberrypi_hwmon spi_bcm2835 gpio_keys i2c_brcmstb rp1 raspberrypi_gpiomem rp1_mailbox rp1_adc nvmem_rmem uio_pdrv_genirq uio i2c_dev drm ledtrig_pattern drm_panel_orientation_quirks backlight fuse dm_mod ip_tables x_tables ipv6 [ 466.458429] CPU: 0 UID: 1000 PID: 2008 Comm: chromium Tainted: G C 6.13.0-v8+ #18 [ 466.467336] Tainted: [C]=CRAP [ 466.470306] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) [ 466.476157] pstate: 404000c9 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 466.483143] pc : v3d_irq+0x118/0x2e0 [v3d] [ 466.487258] lr : __handle_irq_event_percpu+0x60/0x228 [ 466.492327] sp : ffffffc080003ea0 [ 466.495646] x29: ffffffc080003ea0 x28: ffffff80c0c94200 x27: 0000000000000000 [ 466.502807] x26: ffffffd08dd81d7b x25: ffffff80c0c94200 x24: ffffff8003bdc200 [ 466.509969] x23: 0000000000000001 x22: 00000000000000a7 x21: 0000000000000000 [ 466.517130] x20: ffffff8041bb0000 x19: 0000000000000001 x18: 0000000000000000 [ 466.524291] x17: ffffffafadfb0000 x16: ffffffc080000000 x15: 0000000000000000 [ 466.531452] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 466.538613] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffffd08c527eb0 [ 466.545777] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 [ 466.552941] x5 : ffffffd08c4100d0 x4 : ffffffafadfb0000 x3 : ffffffc080003f70 [ 466.560102] x2 : ffffffc0829e8058 x1 : 0000000000000001 x0 : 0000000000000000 [ 466.567263] Call trace: [ 466.569711] v3d_irq+0x118/0x2e0 [v3d] (P) [ 466. ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21688 is a race condition vulnerability in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically within the v3d driver used for GPU job scheduling on certain hardware platforms such as the Raspberry Pi 5. The flaw arises from improper synchronization between the DRM scheduler workqueue and the interrupt request (IRQ) execution thread. After a GPU job completes, the IRQ thread signals a fence and sets the job pointer to NULL to indicate completion. However, a race condition occurs when the IRQ thread sets the job pointer to NULL simultaneously as the run_job() function assigns a new job to this pointer. This timing conflict can lead to a NULL pointer dereference when the IRQ handler (v3d_irq) is triggered by a GPU interrupt, causing a kernel crash (kernel oops). The vulnerability is rooted in a recent code change (commit e4b5ccd392b9) intended to improve job pointer handling but inadvertently introduced this race condition. The kernel crash logs indicate a level 1 translation fault due to the NULL pointer dereference, which can lead to system instability or denial of service. This vulnerability affects multiple Linux kernel versions containing the specified commits, particularly on ARM64 architectures running on devices like the Raspberry Pi 5. There is no evidence of active exploitation in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2025-21688 primarily involves potential denial of service (DoS) conditions on systems running vulnerable Linux kernel versions with the v3d DRM driver enabled. This is particularly relevant for organizations deploying ARM64-based embedded systems, IoT devices, or edge computing nodes that utilize Raspberry Pi 5 or similar hardware for operational technology, development, or specialized computing tasks. A kernel crash triggered by this vulnerability could disrupt critical services, cause system reboots, or lead to data loss if the system is used in production environments. While this vulnerability does not directly enable privilege escalation or remote code execution, the resulting instability could be exploited by attackers to cause persistent outages or to facilitate further attacks by forcing system restarts. European sectors relying on embedded Linux devices for industrial control, digital signage, or network infrastructure could face operational interruptions. Additionally, organizations involved in software development or testing on affected platforms may experience productivity losses due to system crashes.
Mitigation Recommendations
To mitigate CVE-2025-21688, European organizations should: 1) Immediately apply the official Linux kernel patches that address the race condition in the v3d DRM driver once they become available from trusted sources such as the Linux kernel maintainers or distribution vendors. 2) For systems where patching is delayed, consider disabling the v3d DRM driver if it is not essential to operations, thereby reducing the attack surface. 3) Implement kernel crash monitoring and automated recovery mechanisms to minimize downtime caused by unexpected kernel oops events. 4) Conduct thorough testing of updated kernel versions in staging environments to ensure stability before deployment in production. 5) Maintain strict control over software updates and verify kernel versions on ARM64 devices to ensure they are not running vulnerable builds. 6) For critical infrastructure, deploy redundant systems or failover strategies to mitigate the impact of potential DoS conditions. 7) Engage with hardware and software vendors to confirm support and timely patch availability for affected devices.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.741Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9805
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 5:28:01 PM
Last updated: 7/31/2025, 12:14:51 AM
Views: 8
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.