CVE-2025-21838

Advisory lineage Upstream: 0 Downstream: 22
Modified
Published: 07 Mar 2025, 09:09
Last modified:11 May 2026, 21:07

Vulnerability Summary

Overall Risk (default)
low
22/100
CVSS Score
5.5 MEDIUM
v3.1 (nvd)
EPSS Score
0.18% LOW
0% probability +0.13%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

07 Mar 2025, 09:09
Published
Vulnerability first disclosed
11 May 2026, 21:07
Last Modified
Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: core: flush gadget workqueue after device removal device_del() can lead to new work being scheduled in gadget->work workqueue. This is observed, for example, with the dwc3 driver with the following call stack: device_del() gadget_unbind_driver() usb_gadget_disconnect_locked() dwc3_gadget_pullup() dwc3_gadget_soft_disconnect() usb_gadget_set_state() schedule_work(&gadget->work) Move flush_work() after device_del() to ensure the workqueue is cleaned up.

CVSS Metrics

  • v3.1MEDIUMScore: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.18% Percentile: 8%

Affected Systems

  • linuxlinux

    ≥ 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15, < e3bc1a9a67ce33a2e761e6e7b7c2afc6cb9b7266 | ≥ 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15, < 859cb45aefa6de823b2fa7f229fe6d9562c9f3b7 | ≥ 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15, < f894448f3904d7ad66fecef8f01fe0172629e091 | ≥ 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15, < 97695b5a1b5467a4f91194db12160f56da445dfe | ≥ 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15, < 399a45e5237ca14037120b1b895bd38a3b4492ea | 3.12

  • linuxlinux_kernel

    ≥ 3.12, < 6.1.130 | ≥ 6.2, < 6.6.80 | ≥ 6.7, < 6.12.16 | ≥ 6.13, < 6.13.4 | 6.14:rc1 | 6.14:rc2

References (6)