CVE-2025-21773 is a vulnerability identified in the Linux kernel, specifically within the CAN (Controller Area Network) driver for the ETAS ES58x device series. The issue arises from the driver's assumption that the USB device's serial number (es58x_dev->udev->serial) is never NULL. While this assumption holds true for commercially available devices, an attacker can spoof the device identity by providing a NULL USB serial number. This leads to a NULL pointer dereference when the driver attempts to access the serial number without verifying its presence. The consequence of this dereference is a kernel crash, resulting in a denial of service (DoS) condition. The vulnerability is triggered locally by connecting or spoofing a malicious USB device that interacts with the affected driver. The fix involves adding a check to ensure that the serial number pointer is not NULL before accessing it, preventing the kernel from dereferencing a NULL pointer. This vulnerability does not appear to have known exploits in the wild yet, and no CVSS score has been assigned. The affected versions are identified by a specific commit hash, indicating that the issue is present in certain Linux kernel builds prior to the patch. The vulnerability is categorized as a stability and availability issue rather than a direct confidentiality or integrity compromise.

For European organizations, the primary impact of CVE-2025-21773 is the potential for denial of service on Linux systems that utilize the ETAS ES58x CAN driver. This could disrupt critical systems relying on CAN communication, such as automotive testing environments, industrial control systems, or embedded devices used in manufacturing and transportation sectors. Given the widespread use of Linux in enterprise and industrial environments across Europe, any system that loads this driver and interacts with USB devices could be susceptible to crashes if an attacker can spoof a USB device with a NULL serial number. While the attack vector requires physical or local access to connect a malicious USB device, the impact on availability could be significant in environments where uptime and reliability are critical, such as automotive R&D labs, industrial automation, or embedded Linux devices in transportation infrastructure. The vulnerability does not directly expose sensitive data or allow privilege escalation, but the induced kernel panic could lead to operational disruptions, potential safety risks in industrial contexts, and increased maintenance overhead.

1. Apply the official Linux kernel patch that adds the NULL check for the USB serial number in the ETAS ES58x CAN driver as soon as it becomes available. 2. Implement strict USB device control policies, including disabling or restricting USB device usage on critical Linux systems that do not require USB connectivity, especially in industrial or automotive environments. 3. Use USB device whitelisting or endpoint security solutions to prevent unauthorized or spoofed USB devices from connecting to sensitive systems. 4. Monitor kernel logs and system stability metrics for signs of unexpected kernel panics or crashes related to USB device interactions. 5. For environments where physical access cannot be fully controlled, consider deploying hardware-based USB port locks or endpoint protection to reduce the risk of malicious USB device insertion. 6. Maintain up-to-date inventories of Linux kernel versions and drivers in use to quickly identify and remediate vulnerable systems. 7. Educate system administrators and security teams about the risk of USB-based attacks and the importance of patching kernel vulnerabilities promptly.