CVE-2025-21915 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel, specifically within the driver_override_show() function located in drivers/cdx/cdx.c. This function is part of the DEVICE_ATTR_RW attribute group, which includes both driver_override_show() and driver_override_store(). These functions can be executed concurrently via sysfs, a virtual filesystem interface used for device and kernel attribute management. The vulnerability arises because driver_override_store() updates the driver_override string by calling driver_set_override(), which locks the device using device_lock(dev) and may free the existing driver_override string. Meanwhile, driver_override_show() reads the driver_override string without acquiring this lock, potentially accessing a freed pointer if driver_override_store() frees the string concurrently. This race condition can lead to a use-after-free scenario, which may cause the kernel to print a freed kernel memory address to sysfs. Since DEVICE_ATTR files are readable by all users, this exposure can leak sensitive kernel memory addresses, facilitating information disclosure and potentially enabling further exploitation such as privilege escalation or kernel code execution. The vulnerability is related to CWE-416 (Use After Free). The issue was detected using an experimental static analysis tool that identifies locking and concurrency issues. Similar patterns exist in other bus drivers like drivers/amba/bus.c, but those have been using device_lock() in the show function to prevent such races. The CVSS v3.1 score is 7.8 (high), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local attack vector, low complexity, requiring low privileges, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The vulnerability affects certain Linux kernel versions identified by specific commit hashes. The flaw can lead to kernel crashes, information leaks, and potential privilege escalation due to the exposure of kernel addresses and memory corruption.

For European organizations, this vulnerability poses a significant risk, especially those relying on Linux-based infrastructure such as servers, embedded devices, and IoT systems. The ability to leak kernel memory addresses can facilitate advanced attacks like kernel-level privilege escalation, undermining system integrity and confidentiality. This could lead to unauthorized access to sensitive data, disruption of critical services, and compromise of operational technology environments. Organizations in sectors such as finance, healthcare, telecommunications, and critical infrastructure, which often use Linux extensively, may face increased risk of targeted attacks exploiting this vulnerability. Additionally, the vulnerability's local attack vector means that any user with limited access to a vulnerable system could potentially exploit it, increasing the threat surface in multi-user environments or shared hosting scenarios common in European data centers. The lack of known exploits in the wild currently reduces immediate risk, but the high severity and ease of exploitation warrant prompt attention to prevent future exploitation attempts.

European organizations should implement the following specific mitigation steps: 1) Apply the official Linux kernel patches that fix the use-after-free condition in driver_override_show() as soon as they are available and tested in their environments. 2) For systems where immediate patching is not feasible, restrict access to sysfs DEVICE_ATTR_RW files, especially those related to driver_override attributes, by tightening file permissions or using mandatory access controls (e.g., SELinux, AppArmor) to limit read access to trusted users only. 3) Monitor kernel logs and sysfs accesses for unusual or repeated reads of driver_override attributes that could indicate exploitation attempts. 4) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce the impact of information leaks. 5) Conduct thorough audits of multi-user systems and shared environments to ensure that unprivileged users cannot gain local access that could be leveraged to exploit this vulnerability. 6) Maintain an up-to-date inventory of Linux kernel versions deployed across the organization to prioritize patching efforts. 7) Engage with Linux distribution vendors for backported patches and security advisories relevant to their specific kernel versions.