CVE-2025-21817 is a vulnerability identified in the Linux kernel related to the handling of memory allocation within sysfs ->store() callbacks. Specifically, the issue arises when sysfs ->store() is called while the block device queue is frozen. During this state, several ->store() callbacks such as update_nr_requests, wbt (writeback throttling), and scheduler attempt to allocate memory using GFP_KERNEL. GFP_KERNEL allocations may trigger direct reclaim paths, which involve reclaiming memory by potentially blocking or waiting on other resources. Because the queue is frozen during these operations, this can lead to a deadlock condition where the kernel is waiting on memory reclaim while holding locks or resources that prevent progress, effectively causing the system or affected subsystems to hang. The root cause is the inappropriate use of GFP_KERNEL memory allocation flags in a context where IO operations are frozen and blocking is unsafe. The fix involves marking the memory allocation with GFP_NOIO around the sysfs ->store() calls, which prevents the allocation from triggering IO operations and thus avoids the deadlock scenario. This vulnerability affects the Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and was published on February 27, 2025. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability could lead to system instability or denial of service (DoS) conditions on Linux-based servers and infrastructure. Since Linux is widely used in enterprise environments, cloud services, and critical infrastructure across Europe, a deadlock in the kernel could cause affected systems to hang or become unresponsive, impacting availability. This is particularly critical for data centers, telecommunications, financial institutions, and public sector organizations relying on Linux for their operations. Although the vulnerability does not appear to allow privilege escalation or direct code execution, the resulting DoS could disrupt business continuity, degrade service levels, and increase operational costs due to downtime and recovery efforts. The absence of known exploits reduces immediate risk, but the potential for accidental triggering or future exploitation remains, especially in environments with heavy sysfs interactions or custom kernel modules that utilize these callbacks.

European organizations should prioritize applying the official Linux kernel patches that mark GFP_NOIO around sysfs ->store() callbacks to prevent the deadlock condition. Kernel updates should be tested and deployed promptly in production environments. Additionally, organizations should audit their use of sysfs interfaces and kernel modules that interact with block device queues to identify any custom or legacy code that might be vulnerable. Monitoring system logs and kernel messages for signs of queue freezes or deadlocks can provide early warning of exploitation or accidental triggering. In environments where immediate patching is not feasible, consider isolating critical Linux systems or limiting access to sysfs interfaces to reduce attack surface. Implementing robust system monitoring and automated recovery mechanisms (e.g., watchdog timers) can help mitigate the impact of potential hangs. Finally, maintain up-to-date inventories of Linux kernel versions in use to ensure vulnerable versions are identified and remediated.