CVE-2025-21998
03.04.2025, 08:15
In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: uefisecapp: fix efivars registration race Since the conversion to using the TZ allocator, the efivars service is registered before the memory pool has been allocated, something which can lead to a NULL-pointer dereference in case of a racing EFI variable access. Make sure that all resources have been set up before registering the efivars.
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 6.11 ≤ 𝑥 < 6.12.21 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.13.9 |
| linux | linux_kernel | 6.14:rc1 |
| linux | linux_kernel | 6.14:rc2 |
| linux | linux_kernel | 6.14:rc3 |
| linux | linux_kernel | 6.14:rc4 |
| linux | linux_kernel | 6.14:rc5 |
| linux | linux_kernel | 6.14:rc6 |
| linux | linux_kernel | 6.14:rc7 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race ConditionThe software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.
- CWE-476 - NULL Pointer DereferenceA NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.