CVE-2025-21773 in Linuxinfo

Summary

by MITRE • 02/27/2025

In the Linux kernel, the following vulnerability has been resolved:

can: etas_es58x: fix potential NULL pointer dereference on udev->serial

The driver assumed that es58x_dev->udev->serial could never be NULL. While this is true on commercially available devices, an attacker could spoof the device identity providing a NULL USB serial number. That would trigger a NULL pointer dereference.

Add a check on es58x_dev->udev->serial before accessing it.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/25/2026

The vulnerability CVE-2025-21773 affects the Linux kernel's CAN (Controller Area Network) driver specifically the etas_es58x module responsible for managing ETAS ES58x family devices. This issue represents a classic null pointer dereference flaw that occurs when the driver fails to properly validate device identification information during the initialization process. The etas_es58x driver is designed to handle automotive and industrial communication devices that use the CAN bus protocol for vehicle diagnostics and control systems. The vulnerability stems from an assumption made by the kernel developers that USB serial numbers for these devices would always contain valid data, a premise that proves incorrect when devices are maliciously constructed or manipulated.

The technical flaw manifests in the driver's handling of USB device identification where it directly accesses the serial number field without proper validation. When an attacker presents a spoofed device with a NULL USB serial number, the driver's code path attempts to dereference the null pointer es58x_dev->udev->serial, leading to immediate system crash or potential privilege escalation depending on the execution context. This type of vulnerability falls under CWE-476 which specifically addresses NULL Pointer Dereference issues in software development. The flaw represents a failure in defensive programming practices where input validation should occur before any pointer operations are performed.

The operational impact of this vulnerability extends beyond simple system crashes as it creates potential attack vectors for adversaries targeting automotive systems or industrial control networks that rely on CAN bus communication. Attackers could exploit this vulnerability by connecting maliciously crafted USB devices to systems running affected kernel versions, potentially causing denial of service or creating opportunities for more sophisticated attacks. In automotive contexts, this could lead to vehicle communication failures or compromise of vehicle control systems, while in industrial settings it might disrupt critical infrastructure operations. The vulnerability is particularly concerning because it operates at the kernel level where successful exploitation could provide attackers with elevated privileges and access to sensitive system resources.

Mitigation strategies for CVE-2025-21773 involve implementing proper input validation within the etas_es58x driver code before any access to the serial number field occurs. The fix requires adding a conditional check to verify that es58x_dev->udev->serial is not NULL before attempting to dereference it, which aligns with standard security practices recommended in the ATT&CK framework for preventing kernel-level exploits. System administrators should prioritize updating to kernel versions containing the patched driver code, as this vulnerability demonstrates the importance of robust input validation in device drivers. Organizations using automotive or industrial systems should conduct vulnerability assessments to identify affected systems and implement monitoring for suspicious USB device connections that might indicate attempted exploitation. The fix also emphasizes the need for comprehensive testing of device identification mechanisms in embedded systems where device spoofing attacks represent a growing concern in cybersecurity.

Responsible

Linux

Reservation

12/29/2024

Disclosure

02/27/2025

Moderation

accepted

CPE

ready

EPSS

0.00206

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!