CVE-2025-21820: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tty: xilinx_uartps: split sysrq handling lockdep detects the following circular locking dependency: CPU 0 CPU 1 ========================== ============================ cdns_uart_isr() printk() uart_port_lock(port) console_lock() cdns_uart_console_write() if (!port->sysrq) uart_port_lock(port) uart_handle_break() port->sysrq = ... uart_handle_sysrq_char() printk() console_lock() The fixed commit attempts to avoid this situation by only taking the port lock in cdns_uart_console_write if port->sysrq unset. However, if (as shown above) cdns_uart_console_write runs before port->sysrq is set, then it will try to take the port lock anyway. This may result in a deadlock. Fix this by splitting sysrq handling into two parts. We use the prepare helper under the port lock and defer handling until we release the lock.
AI Analysis
Technical Summary
CVE-2025-21820 is a vulnerability identified in the Linux kernel specifically related to the handling of sysrq (system request) key events within the xilinx_uartps driver, which manages UART (Universal Asynchronous Receiver/Transmitter) communication on Xilinx platforms. The root cause of the vulnerability is a circular locking dependency involving two CPU cores, where the uart_port_lock and console_lock are acquired in conflicting orders across different execution contexts. This circular dependency can lead to a deadlock condition. The problem arises because the function cdns_uart_console_write attempts to acquire the uart_port_lock even before the port->sysrq flag is set, which was intended to prevent this lock acquisition. The fix implemented splits the sysrq handling into two phases: a preparation phase that occurs while holding the port lock and a deferred handling phase after releasing the lock. This approach prevents the circular lock dependency and thus the deadlock. The vulnerability affects the Linux kernel versions identified by the commit hash 74ea66d4ca061a3cd4c0e924e51b60e924644852 and potentially other versions using the xilinx_uartps driver with the described sysrq handling logic. No known exploits are reported in the wild as of the publication date (February 27, 2025), and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the xilinx_uartps driver, which is typically found in embedded systems and specialized hardware using Xilinx SoCs. The deadlock caused by this vulnerability can lead to system hangs or crashes, impacting availability of critical services. This is particularly concerning for industrial control systems, telecommunications infrastructure, and embedded devices used in sectors such as manufacturing, transportation, and energy, where Xilinx hardware is deployed. The deadlock does not directly compromise confidentiality or integrity but can cause denial of service conditions, potentially disrupting operations. In environments with high availability requirements, such as financial services or healthcare, even transient system unavailability can have significant operational and financial consequences. The lack of known exploits reduces immediate risk, but the complexity of the deadlock means that exploitation could be triggered by legitimate sysrq key events or specific UART traffic patterns, making it a reliability and availability concern.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the fix for CVE-2025-21820. Since the vulnerability is in the xilinx_uartps driver, organizations using Xilinx-based embedded systems should verify the kernel version and apply patches provided by their hardware or OS vendors. For systems where immediate patching is not feasible, mitigating actions include disabling sysrq key handling on affected devices if operationally acceptable, to prevent triggering the deadlock condition. Additionally, monitoring system logs for symptoms of deadlock or UART-related errors can help detect potential exploitation attempts or system instability. Organizations should also review their deployment of Xilinx hardware to assess exposure and consider network segmentation or isolation of critical embedded devices to limit impact. Finally, engaging with vendors and Linux kernel maintainers to receive timely updates and advisories is recommended.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2025-21820: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tty: xilinx_uartps: split sysrq handling lockdep detects the following circular locking dependency: CPU 0 CPU 1 ========================== ============================ cdns_uart_isr() printk() uart_port_lock(port) console_lock() cdns_uart_console_write() if (!port->sysrq) uart_port_lock(port) uart_handle_break() port->sysrq = ... uart_handle_sysrq_char() printk() console_lock() The fixed commit attempts to avoid this situation by only taking the port lock in cdns_uart_console_write if port->sysrq unset. However, if (as shown above) cdns_uart_console_write runs before port->sysrq is set, then it will try to take the port lock anyway. This may result in a deadlock. Fix this by splitting sysrq handling into two parts. We use the prepare helper under the port lock and defer handling until we release the lock.
AI-Powered Analysis
Technical Analysis
CVE-2025-21820 is a vulnerability identified in the Linux kernel specifically related to the handling of sysrq (system request) key events within the xilinx_uartps driver, which manages UART (Universal Asynchronous Receiver/Transmitter) communication on Xilinx platforms. The root cause of the vulnerability is a circular locking dependency involving two CPU cores, where the uart_port_lock and console_lock are acquired in conflicting orders across different execution contexts. This circular dependency can lead to a deadlock condition. The problem arises because the function cdns_uart_console_write attempts to acquire the uart_port_lock even before the port->sysrq flag is set, which was intended to prevent this lock acquisition. The fix implemented splits the sysrq handling into two phases: a preparation phase that occurs while holding the port lock and a deferred handling phase after releasing the lock. This approach prevents the circular lock dependency and thus the deadlock. The vulnerability affects the Linux kernel versions identified by the commit hash 74ea66d4ca061a3cd4c0e924e51b60e924644852 and potentially other versions using the xilinx_uartps driver with the described sysrq handling logic. No known exploits are reported in the wild as of the publication date (February 27, 2025), and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the xilinx_uartps driver, which is typically found in embedded systems and specialized hardware using Xilinx SoCs. The deadlock caused by this vulnerability can lead to system hangs or crashes, impacting availability of critical services. This is particularly concerning for industrial control systems, telecommunications infrastructure, and embedded devices used in sectors such as manufacturing, transportation, and energy, where Xilinx hardware is deployed. The deadlock does not directly compromise confidentiality or integrity but can cause denial of service conditions, potentially disrupting operations. In environments with high availability requirements, such as financial services or healthcare, even transient system unavailability can have significant operational and financial consequences. The lack of known exploits reduces immediate risk, but the complexity of the deadlock means that exploitation could be triggered by legitimate sysrq key events or specific UART traffic patterns, making it a reliability and availability concern.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the fix for CVE-2025-21820. Since the vulnerability is in the xilinx_uartps driver, organizations using Xilinx-based embedded systems should verify the kernel version and apply patches provided by their hardware or OS vendors. For systems where immediate patching is not feasible, mitigating actions include disabling sysrq key handling on affected devices if operationally acceptable, to prevent triggering the deadlock condition. Additionally, monitoring system logs for symptoms of deadlock or UART-related errors can help detect potential exploitation attempts or system instability. Organizations should also review their deployment of Xilinx hardware to assess exposure and consider network segmentation or isolation of critical embedded devices to limit impact. Finally, engaging with vendors and Linux kernel maintainers to receive timely updates and advisories is recommended.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.775Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8905
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 9:27:21 AM
Last updated: 8/15/2025, 1:26:03 AM
Views: 16
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.