CVE-2025-21685

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue is related to a NULL pointer dereference in the Linux kernel. The yt2 1380 fc serdev probe() function calls devm serdev device open() before setting the client operations via serdev device set client ops(), which can trigger a NULL pointer dereference in the serdev controller's receive buffer handler. This is because the handler assumes serdev->ops is valid when SERPORT ACTIVE is set. The problem is similar to an issue fixed in a previous commit, where devm serdev device open() was called before fully initializing the device. To fix the issue, the client operations must be set before enabling the port via devm serdev device open(). Additionally, serdev device set baudrate() and serdev device set flow control() calls should be made after the devm serdev device open() call.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.