CVE-2025-21998 — Time-of-check Time-of-use (TOCTOU) Race Condition in Linux
Severity
4.7MEDIUMNVD
OSV5.9
EPSS
0.0%
top 88.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 3
Latest updateJul 8
Description
In the Linux kernel, the following vulnerability has been resolved:
firmware: qcom: uefisecapp: fix efivars registration race
Since the conversion to using the TZ allocator, the efivars service is
registered before the memory pool has been allocated, something which
can lead to a NULL-pointer dereference in case of a racing EFI variable
access.
Make sure that all resources have been set up before registering the
efivars.
CVSS vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.0 | Impact: 3.6
Affected Packages4 packages
▶CVEListV5linux/linux6612103ec35af6058bb85ab24dae28e119b3c055 — c4e37b381a7a243c298a4858fc0a5a74e737c79a+3
Patches
🔴Vulnerability Details
6OSV▶
linux, linux-aws, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-oracle, linux-raspi, linux-realtime vulnerabilities↗2025-06-30
GHSA▶
GHSA-6hcp-x8fr-rwcv: In the Linux kernel, the following vulnerability has been resolved:
firmware: qcom: uefisecapp: fix efivars registration race
Since the conversion t↗2025-04-03