CVE-2025-21846 is a vulnerability identified in the Linux kernel's accounting subsystem, specifically related to the acct(2) system call. The vulnerability arises when acct(2) is directed to write to certain files that require an internal lookup, such as /sys/power/resume. During this operation, the calling task has already exited and invoked exit_fs(), which results in the current->fs pointer being NULL. When the kernel attempts to perform a lookup under these conditions, it triggers a NULL pointer dereference, causing a kernel crash (denial of service). The root cause is that the final write operation is performed synchronously in the context of a task that no longer has a valid filesystem context. The patch reorganizes the code to defer the final write to a workqueue, ensuring it executes with the caller's credentials and a valid filesystem context, thereby preventing the NULL dereference. This fix maintains the existing permission model and minimizes regression risk. The vulnerability does not appear to have known exploits in the wild and affects specific Linux kernel versions identified by commit hashes. The acct(2) syscall is relatively obscure and used primarily for process accounting, but the impact of a kernel NULL dereference can be severe, potentially leading to system crashes or denial of service. The vulnerability highlights the risks of asynchronous operations in kernel code when task context is lost prematurely.

For European organizations, the primary impact of CVE-2025-21846 is the potential for denial of service on Linux systems that utilize the acct(2) syscall in conjunction with files triggering internal lookups like /sys/power/resume. This can lead to kernel panics and system crashes, disrupting critical services and operations. Organizations running Linux servers, especially those in data centers, cloud environments, or embedded systems that rely on power management features exposed via sysfs, may experience instability or outages. While the vulnerability does not directly enable privilege escalation or data breaches, the resulting downtime can affect availability and business continuity. Industries with high uptime requirements such as finance, healthcare, telecommunications, and manufacturing could be particularly impacted. Additionally, the complexity of the vulnerability means it may be overlooked in routine security assessments, increasing the risk of unexpected outages. Since no known exploits are reported, the immediate threat level is moderate, but unpatched systems remain vulnerable to accidental or malicious triggering of the NULL dereference.

To mitigate CVE-2025-21846, European organizations should: 1) Apply the official Linux kernel patches that reorganize the acct(2) syscall handling to perform writes from a workqueue with proper credentials. Ensure kernel versions are updated to include this fix as soon as they become available. 2) Audit systems for usage of the acct(2) syscall and assess whether it is necessary; if not required, consider disabling process accounting to reduce attack surface. 3) Monitor kernel logs and system stability for signs of NULL pointer dereferences or unexpected panics related to acct(2) or /sys/power/resume interactions. 4) Implement robust system monitoring and automated recovery mechanisms to minimize downtime in case of kernel crashes. 5) For critical systems, consider isolating or restricting access to sysfs entries like /sys/power/resume to trusted processes only, using mandatory access controls (e.g., SELinux, AppArmor). 6) Engage with Linux distribution vendors to track patch availability and backport fixes to long-term support kernels used in production environments. These steps go beyond generic advice by focusing on syscall usage auditing, sysfs access controls, and proactive monitoring tailored to this vulnerability's characteristics.