CVE-2025-21723 is a vulnerability identified in the Linux kernel's SCSI subsystem, specifically within the mpi3mr driver which handles certain SCSI devices. The issue arises when the function bsg_setup_queue() fails during the setup of the block storage gateway (bsg) queue. In this failure scenario, the bsg_queue pointer is incorrectly assigned a non-NULL value. Later, when mpi3mr_bsg_exit() is called during device removal or driver unload, it checks if the bsg_queue pointer is NULL to decide whether to call bsg_remove_queue(). Due to the erroneous non-NULL assignment, this condition is not met, and bsg_remove_queue() is not invoked. This leads to a use-after-free or null pointer dereference scenario, causing a kernel crash with a BUG message referencing a NULL pointer dereference at a low memory address (0x000000000000041c). The crash occurs in the call stack involving mpi3mr_bsg_exit(), mpi3mr_remove(), pci_device_remove(), and related kernel functions. This vulnerability can cause a denial of service (DoS) by crashing the kernel when the affected driver attempts to remove or unbind the device. The issue has been fixed by correcting the bsg_queue assignment logic to ensure proper cleanup and avoid the crash. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions containing the mpi3mr driver with the faulty code, as indicated by the affected version hashes provided.

For European organizations, the primary impact of CVE-2025-21723 is a potential denial of service condition on Linux systems using the mpi3mr SCSI driver. This driver is typically used for managing certain SCSI RAID controllers or storage devices. Organizations relying on Linux servers or infrastructure with these specific hardware components could experience unexpected kernel crashes during device removal or driver operations, leading to system downtime and potential disruption of critical services. This could affect data center operations, cloud service providers, and enterprises with storage arrays using affected hardware. Although this vulnerability does not appear to allow privilege escalation or remote code execution, the resulting kernel panic could interrupt business continuity and require system reboots, impacting availability. Given the widespread use of Linux in European IT environments, especially in sectors like finance, telecommunications, and government, any disruption in storage subsystem stability can have significant operational consequences. However, the impact is limited to systems with the affected hardware and driver, and exploitation requires conditions that trigger the driver unload or device removal process.

To mitigate CVE-2025-21723, European organizations should: 1) Identify Linux systems running kernels with the mpi3mr driver, particularly those managing SCSI storage controllers that rely on this driver. 2) Apply the latest Linux kernel updates or patches that include the fix for this vulnerability as soon as they become available from trusted Linux distributions or upstream sources. 3) Avoid unnecessary removal or unbinding of devices using the mpi3mr driver until patched, especially in production environments. 4) Implement monitoring to detect kernel panics or crashes related to storage drivers to enable rapid incident response. 5) For critical systems, consider redundancy and failover mechanisms to maintain availability in case of a crash. 6) Test kernel updates in staging environments to ensure compatibility with existing storage hardware and software stacks before deployment. 7) Maintain up-to-date backups of critical data to mitigate risks from unexpected downtime. These steps go beyond generic advice by focusing on hardware-specific driver identification, patch prioritization, and operational controls around device management.