What is CVE-2025-21685?

A medium-severity vulnerability has been identified in the Linux kernel related to a race condition in the Lenovo Yoga Tab 2 Pro 1380 fast charger. Organizations should prioritize remediation to mitigate risks associated with this vulnerability.

What is the severity of CVE-2025-21685?

CVE-2025-21685 has a severity rating of MEDIUM with a CVSS base score of 4.7.

CVE-2025-21685 | Medium Vulnerability in Linux Kernel

In the Linux kernel, a vulnerability identified as CVE-2025-21685 has been resolved, specifically affecting the Lenovo Yoga Tab 2 Pro 1380 fast charger. This vulnerability arises from a race condition within the yt2_1380_fc_serdev_probe() function, where devm_serdev_device_open() is called prior to configuring the client operations. As a result, this can lead to a NULL pointer dereference in the serdev controller's receive_buf handler, which assumes that the operations set are valid when SERPORT_ACTIVE is asserted.

The CVSS score for this vulnerability is 4.7, categorizing it as medium severity. The attack vector is local, with a high attack complexity and low privileges required for exploitation. The potential impact on availability is high, while confidentiality and integrity are not affected.

Risk to organizations includes downtime and potential data loss due to service interruptions. Given the nature of the vulnerability, organizations should prioritize patching immediately to prevent exploitation.

As of now, there is no public exploit confirmed for this vulnerability, and it is not part of the Known Exploited Vulnerabilities (KEV) catalog. However, the risk remains significant due to the potential consequences of exploitation.

Organizations are advised to monitor for updates and ensure that their systems are patched to the latest versions as part of their security best practices.

Vulnerability Details

The vulnerability is classified under CWE-476, which pertains to NULL pointer dereference. The affected products include all versions of the Linux kernel from 6.10 to versions prior to 6.12.11, as well as specific release candidates of version 6.13.

Technical Analysis

The root cause of this vulnerability is the incorrect ordering of function calls, specifically calling devm_serdev_device_open() before setting the client operations. This oversight leads to the potential for a NULL pointer dereference when the receive_buf handler is called, as it expects valid operations to be present.

The attack vector for this vulnerability is local, meaning that an attacker must have access to the local system to exploit it. The attack complexity is high, requiring specific conditions and privileges, which are low, to successfully exploit the vulnerability.

Risk & Impact Analysis

The real-world deployment risk involves potential service interruptions due to the high availability impact. Organizations using affected versions of the Linux kernel should be aware of the implications of this vulnerability, as it could lead to significant downtime and loss of service.

Given the medium severity and potential impact, organizations should address this vulnerability in their priority patch cycle. Prompt action is necessary to mitigate the risks associated with this vulnerability.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerability affects all versions of the Linux kernel starting from version 6.10 up to, but not including, 6.12.11. Additionally, specific release candidates of version 6.13 are also vulnerable.

Mitigation & Remediation

To address this vulnerability, organizations should apply the relevant patches as soon as they are available. Regular system updates and monitoring for vendor-released patches are essential to maintain a secure environment. For comprehensive security measures, organizations can also consider implementing penetration testing to identify and mitigate similar vulnerabilities proactively.

Detection Guidance

Organizations should monitor logs for any unusual behavior associated with the serdev controller's operations and track any changes to the kernel that may indicate an attempted exploitation of this vulnerability.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2025-21685 highlights the ongoing need for rigorous testing and validation of device drivers and kernel modules to avoid similar vulnerabilities in the future. This incident serves as a reminder to security teams to maintain a proactive stance on vulnerability management and to continuously evaluate the security posture of their systems.

For more insights, organizations can explore our resources on penetration testing methodology, as well as our guides on vulnerability management program design and AI security best practices to strengthen their defenses.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-21685: Medium Vulnerability in Linux Kernel