PT-2025-4337 · Linux+5 · Linux Kernel+5

Published

2025-01-07

·

Updated

2026-04-20

·

CVE-2025-21656

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.74
Description The issue concerns the Linux kernel, specifically the hwmon driver, which can produce garbage data when SCSI errors occur. The scsi execute cmd() function can return both negative and positive error codes. However, the driver only passes these error codes to the hwmon core, which only checks for negative error codes. This leads to the hwmon reporting uninitialized data to userspace in case of SCSI errors, such as when a disk drive is disconnected. A patch has been applied to check the output of scsi execute cmd() and return -EIO if the error code is positive.
Recommendations For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider restricting access to the hwmon driver to minimize the risk of exploitation until a patch is applied. Avoid using the scsi execute cmd() function in scenarios where SCSI errors may occur until the issue is resolved.

Exploit

Fix

Access of Uninitialized Pointer

Weakness Enumeration

CWE-824

Related Identifiers

ALT-PU-2025-12647
BDU:2026-02669
CVE-2025-21656
ECHO-5AC0-6683-2DDD
MGASA-2025-0030
MGASA-2025-0032
OESA-2025-1204
OESA-2025-1205
OPENSUSE-SU-2025_0428-1
OPENSUSE-SU-2025_0499-1
OPENSUSE-SU-2025_0557-1
SUSE-SU-2025:0289-1
SUSE-SU-2025:0428-1
SUSE-SU-2025:0499-1
SUSE-SU-2025:0557-1
SUSE-SU-2025:20165-1
SUSE-SU-2025:20166-1
SUSE-SU-2025:20248-1
SUSE-SU-2025:20249-1
SUSE-SU-2025_0428-1
SUSE-SU-2025_0499-1
SUSE-SU-2025_0557-1
USN-7379-1
USN-7379-2
USN-7380-1
USN-7381-1
USN-7382-1
USN-7513-1
USN-7513-2
USN-7513-3
USN-7513-4
USN-7513-5
USN-7514-1
USN-7515-1
USN-7515-2
USN-7522-1
USN-7523-1
USN-7524-1

Affected Products

Alt Linux
Debian
Linuxmint
Linux Kernel
Suse
Ubuntu