CVE-2025-21695

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified)

Description: A vulnerability has been resolved in the Linux kernel. The issue is related to the dell uart bl serdev probe() function calling devm serdev device open() before setting the client operations via serdev device set client ops(). This ordering can trigger a NULL pointer dereference in the serdev controller's receive buffer handler, as it assumes serdev->ops is valid when SERPORT ACTIVE is set. The problem is similar to an issue fixed in a previous commit, where devm serdev device open() was called before fully initializing the device. The fix involves ensuring client operations are set before enabling the port via devm serdev device open(). Additionally, serdev device set baudrate() and serdev device set flow control() calls should be made after the devm serdev device open() call.

Recommendations: To resolve the issue, ensure that the client operations are set before enabling the port via devm serdev device open(). Make serdev device set baudrate() and serdev device set flow control() calls after the devm serdev device open() call. As a temporary workaround, consider disabling the dell uart bl serdev probe() function until a patch is available. Restrict access to the vulnerable serdev module to minimize the risk of exploitation. Avoid using the serdev device open() function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.