CVE-2025-21998

In the Linux kernel, the following vulnerability has been resolved:

firmware: qcom: uefisecapp: fix efivars registration race

Since the conversion to using the TZ allocator, the efivars service is registered before the memory pool has been allocated, something which can lead to a NULL-pointer dereference in case of a racing EFI variable access.

Make sure that all resources have been set up before registering the efivars.

Published: Apr 3, 2025
Updated: May 4, 2025
CVE: CVE-2025-21998
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.7
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-476
CWE-367

Affected Software
References

Software	From	Fixed in
linux / linux_kernel	6.14-rc1	6.14-rc1.x
linux / linux_kernel	6.14-rc2	6.14-rc2.x
linux / linux_kernel	6.14-rc3	6.14-rc3.x
linux / linux_kernel	6.14-rc4	6.14-rc4.x
linux / linux_kernel	6.13	6.13.9
linux / linux_kernel	6.14-rc5	6.14-rc5.x
linux / linux_kernel	6.11	6.12.21
linux / linux_kernel	6.14-rc6	6.14-rc6.x
linux / linux_kernel	6.14-rc7	6.14-rc7.x

https://git.kernel.org/stable/c/c4e37b381a7a243c298a4858fc0a5a74e737c79a
https://git.kernel.org/stable/c/da8d493a80993972c427002684d0742560f3be4a
https://git.kernel.org/stable/c/f15a2b96a0e41c426c63a932d0e63cde7b9784aa

Vulnerability Database

CVE-2025-21998