What is CVE-2025-21951?

CVE-2025-21951 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10, classified as a Improper Locking flaw (CWE-667), affecting Linux kernel versions from 5.12 onward and patched in 5.15.179, 6.1.131, 6.6.83 and others. CVE-2025-21951 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-21951?

CVE-2025-21951 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2025-21951?

Yes, CVE-2025-21951 has been patched. Fixed versions include 5.15.179, 6.1.131, 6.6.83 and others. If you are running Linux kernel 5.12 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-21951 actively exploited?

CVE-2025-21951 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is Improper Locking (CWE-667)?

The product does not properly acquire or release a lock, which can lead to unexpected behaviour. See MITRE CWE for full details: https://cwe.mitre.org/data/definitions/667.html

CVE-2025-21951

Medium

In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock There are multiple places from where the recovery work gets scheduled asynchronously. Also, there are multiple places where the caller waits synchronously for the recovery to be completed. One such place is during the PM shutdown() callback. If the device is not alive during recovery_work, it will try to reset the device using pci_reset_function(). This function internally will take the device_lock() first before resetting the device. By this time, if the lock has already been acquired, then recovery_work will get stalled while waiting for the lock. And if the lock was already acquired by the caller which waits for the recovery_work to be completed, it will lead to deadlock. This is what happened on the X1E80100 CRD device when the device died before shutdown() callback. Driver core calls the driver's shutdown() callback while holding the device_lock() leading to deadlock. And this deadlock scenario can occur on other paths as well, like during the PM suspend() callback, where the driver core would hold the device_lock() before calling driver's suspend() callback. And if the recovery_work was already started, it could lead to deadlock. This is also observed on the X1E80100 CRD. So to fix both issues, use pci_try_reset_function() in recovery_work. This function first checks for the availability of the device_lock() before trying to reset the device. If the lock is available, it will acquire it and reset the device. Otherwise, it will return -EAGAIN. If that happens, recovery_work will fail with the error message "Recovery failed" as not much could be done.

Package Linux Kernel

Published 2025-04-01

Last modified 2025-11-03

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Weakness type

CWE-667

CVE-2025-21951 is a Improper Locking vulnerability

What is Improper Locking?

The product does not properly acquire or release a lock, which can lead to unexpected behaviour. Learn more on MITRE CWE

Affected versions

Linux kernel versions 5.12 and later are affected. Fixed in 5.15.179, 6.1.131, 6.6.83, 6.12.19, 6.13.7, 6.14 and their respective stable series.

Affected from

≥ 5.12

Fixed in

✓ 5.15.179 5.15.x ✓ 6.1.131 6.1.x ✓ 6.6.83 6.6.x ✓ 6.12.19 6.12.x ✓ 6.13.7 6.13.x ✓ 6.14

References

The following references provide additional information about CVE-2025-21951 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Debian Security
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
Kernel patch commit
https://git.kernel.org/stable/c/1f9eb7078bc6b5fb5cbfbcb37c4bc01685332b95
Patch
Kernel patch commit
https://git.kernel.org/stable/c/62505657475c245c9cd46e42ac01026d1e61f027
Patch
Kernel patch commit
https://git.kernel.org/stable/c/7746f3bb8917fccb4571a576f3837d80fc513054
Patch

6 patch commits total View all on NVD

Details

CVE ID CVE-2025-21951

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2025-04-01

Modified 2025-11-03

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2025-21951?

CVE-2025-21951 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 , classified as an Improper Locking flaw (CWE-667) . It affects Linux kernel versions from 5.12 onward and has been patched in 5.15.179, 6.1.131, 6.6.83 and others. CVE-2025-21951 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2025-21951?

CVE-2025-21951 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2025-21951?

Yes — CVE-2025-21951 has been patched. Fixed versions include 5.15.179, 6.1.131, 6.6.83 and others. If you are running Linux kernel 5.12 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-21951 actively exploited?

No — CVE-2025-21951 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What is Improper Locking (CWE-667)?

The product does not properly acquire or release a lock, which can lead to unexpected behaviour. View CWE-667 on MITRE CWE →