CVE-2025-21902: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: acpi: typec: ucsi: Introduce a ->poll_cci method For the ACPI backend of UCSI the UCSI "registers" are just a memory copy of the register values in an opregion. The ACPI implementation in the BIOS ensures that the opregion contents are synced to the embedded controller and it ensures that the registers (in particular CCI) are synced back to the opregion on notifications. While there is an ACPI call that syncs the actual registers to the opregion there is rarely a need to do this and on some ACPI implementations it actually breaks in various interesting ways. The only reason to force a sync from the embedded controller is to poll CCI while notifications are disabled. Only the ucsi core knows if this is the case and guessing based on the current command is suboptimal, i.e. leading to the following spurious assertion splat: WARNING: CPU: 3 PID: 76 at drivers/usb/typec/ucsi/ucsi.c:1388 ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi] CPU: 3 UID: 0 PID: 76 Comm: kworker/3:0 Not tainted 6.12.11-200.fc41.x86_64 #1 Hardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN45WW 03/17/2023 Workqueue: events_long ucsi_init_work [typec_ucsi] RIP: 0010:ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi] Call Trace: <TASK> ucsi_init_work+0x3c/0xac0 [typec_ucsi] process_one_work+0x179/0x330 worker_thread+0x252/0x390 kthread+0xd2/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK> Thus introduce a ->poll_cci() method that works like ->read_cci() with an additional forced sync and document that this should be used when polling with notifications disabled. For all other backends that presumably don't have this issue use the same implementation for both methods.
AI Analysis
Technical Summary
CVE-2025-21902 addresses a vulnerability in the Linux kernel's ACPI backend for the USB Type-C Connector System Software Interface (UCSI). The issue arises from how the kernel handles synchronization of UCSI registers, specifically the Command Completion Indicator (CCI) register, which is represented as a memory copy within an ACPI operation region (opregion). The BIOS ACPI implementation is responsible for syncing these opregion contents with the embedded controller, ensuring register values reflect hardware state. However, forcing a sync from the embedded controller to the opregion is generally unnecessary and can cause failures on some ACPI implementations. The kernel previously lacked a dedicated method to poll the CCI register while notifications were disabled, leading to incorrect assumptions and spurious kernel warnings or crashes (e.g., assertion failures in the ucsi_reset_ppm function). To resolve this, a new ->poll_cci() method was introduced that performs a forced sync and reads the CCI register safely when notifications are disabled, while other backends continue using the existing ->read_cci() method. This fix prevents kernel panics and instability related to USB Type-C port management on affected Linux systems. The vulnerability is specific to the Linux kernel's USB Type-C ACPI UCSI implementation and does not appear to have known exploits in the wild as of publication. No CVSS score has been assigned yet.
Potential Impact
For European organizations relying on Linux-based systems, particularly those using laptops, desktops, or embedded devices with USB Type-C ports managed via ACPI and UCSI, this vulnerability could cause system instability or kernel panics. This may lead to unexpected reboots or loss of USB Type-C functionality, impacting device availability and user productivity. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact could disrupt critical workflows, especially in environments where USB Type-C is used for docking stations, external displays, or power delivery. Industrial control systems or embedded devices running Linux kernels with affected versions could also experience operational disruptions. Since no known exploits exist, the immediate risk of targeted attacks is low, but unpatched systems remain vulnerable to accidental crashes or denial-of-service conditions triggered by USB Type-C port events.
Mitigation Recommendations
European organizations should prioritize updating Linux kernel versions to those containing the patched ->poll_cci() method implementation. Kernel updates should be applied promptly on all affected devices, especially those with USB Type-C ports managed via ACPI UCSI. System administrators should audit their Linux kernel versions and verify if the kernel includes the fix (post commit 6.12.11-200.fc41 or later). For environments where immediate patching is not feasible, disabling USB Type-C port notifications or limiting USB Type-C functionality temporarily may reduce the risk of kernel panics. Additionally, organizations should monitor system logs for the specific warning messages related to ucsi_reset_ppm to identify affected systems. Testing kernel updates in staging environments before wide deployment is recommended to ensure compatibility with existing hardware and BIOS implementations. Collaboration with hardware vendors to ensure BIOS ACPI implementations are up to date can further reduce risk.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Poland, Italy, Spain
CVE-2025-21902: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: acpi: typec: ucsi: Introduce a ->poll_cci method For the ACPI backend of UCSI the UCSI "registers" are just a memory copy of the register values in an opregion. The ACPI implementation in the BIOS ensures that the opregion contents are synced to the embedded controller and it ensures that the registers (in particular CCI) are synced back to the opregion on notifications. While there is an ACPI call that syncs the actual registers to the opregion there is rarely a need to do this and on some ACPI implementations it actually breaks in various interesting ways. The only reason to force a sync from the embedded controller is to poll CCI while notifications are disabled. Only the ucsi core knows if this is the case and guessing based on the current command is suboptimal, i.e. leading to the following spurious assertion splat: WARNING: CPU: 3 PID: 76 at drivers/usb/typec/ucsi/ucsi.c:1388 ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi] CPU: 3 UID: 0 PID: 76 Comm: kworker/3:0 Not tainted 6.12.11-200.fc41.x86_64 #1 Hardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN45WW 03/17/2023 Workqueue: events_long ucsi_init_work [typec_ucsi] RIP: 0010:ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi] Call Trace: <TASK> ucsi_init_work+0x3c/0xac0 [typec_ucsi] process_one_work+0x179/0x330 worker_thread+0x252/0x390 kthread+0xd2/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK> Thus introduce a ->poll_cci() method that works like ->read_cci() with an additional forced sync and document that this should be used when polling with notifications disabled. For all other backends that presumably don't have this issue use the same implementation for both methods.
AI-Powered Analysis
Technical Analysis
CVE-2025-21902 addresses a vulnerability in the Linux kernel's ACPI backend for the USB Type-C Connector System Software Interface (UCSI). The issue arises from how the kernel handles synchronization of UCSI registers, specifically the Command Completion Indicator (CCI) register, which is represented as a memory copy within an ACPI operation region (opregion). The BIOS ACPI implementation is responsible for syncing these opregion contents with the embedded controller, ensuring register values reflect hardware state. However, forcing a sync from the embedded controller to the opregion is generally unnecessary and can cause failures on some ACPI implementations. The kernel previously lacked a dedicated method to poll the CCI register while notifications were disabled, leading to incorrect assumptions and spurious kernel warnings or crashes (e.g., assertion failures in the ucsi_reset_ppm function). To resolve this, a new ->poll_cci() method was introduced that performs a forced sync and reads the CCI register safely when notifications are disabled, while other backends continue using the existing ->read_cci() method. This fix prevents kernel panics and instability related to USB Type-C port management on affected Linux systems. The vulnerability is specific to the Linux kernel's USB Type-C ACPI UCSI implementation and does not appear to have known exploits in the wild as of publication. No CVSS score has been assigned yet.
Potential Impact
For European organizations relying on Linux-based systems, particularly those using laptops, desktops, or embedded devices with USB Type-C ports managed via ACPI and UCSI, this vulnerability could cause system instability or kernel panics. This may lead to unexpected reboots or loss of USB Type-C functionality, impacting device availability and user productivity. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact could disrupt critical workflows, especially in environments where USB Type-C is used for docking stations, external displays, or power delivery. Industrial control systems or embedded devices running Linux kernels with affected versions could also experience operational disruptions. Since no known exploits exist, the immediate risk of targeted attacks is low, but unpatched systems remain vulnerable to accidental crashes or denial-of-service conditions triggered by USB Type-C port events.
Mitigation Recommendations
European organizations should prioritize updating Linux kernel versions to those containing the patched ->poll_cci() method implementation. Kernel updates should be applied promptly on all affected devices, especially those with USB Type-C ports managed via ACPI UCSI. System administrators should audit their Linux kernel versions and verify if the kernel includes the fix (post commit 6.12.11-200.fc41 or later). For environments where immediate patching is not feasible, disabling USB Type-C port notifications or limiting USB Type-C functionality temporarily may reduce the risk of kernel panics. Additionally, organizations should monitor system logs for the specific warning messages related to ucsi_reset_ppm to identify affected systems. Testing kernel updates in staging environments before wide deployment is recommended to ensure compatibility with existing hardware and BIOS implementations. Collaboration with hardware vendors to ensure BIOS ACPI implementations are up to date can further reduce risk.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.785Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8b5c
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 10:27:37 AM
Last updated: 8/18/2025, 11:22:44 PM
Views: 24
Related Threats
CVE-2025-9170: Cross Site Scripting in SolidInvoice
MediumCVE-2025-9169: Cross Site Scripting in SolidInvoice
MediumCVE-2025-9168: Cross Site Scripting in SolidInvoice
MediumCVE-2025-8364: Address bar spoofing using an blob URI on Firefox for Android in Mozilla Firefox
HighCVE-2025-8042: Sandboxed iframe could start downloads in Mozilla Firefox
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.