Linux Kernel up to 6.13.2 synaptics open/close denial of service

Summaryinfo

A vulnerability was found in Linux Kernel up to 6.13.2. It has been classified as critical. This affects the function open/close of the component synaptics. The manipulation leads to denial of service. This vulnerability is documented as CVE-2025-21746. There is not any exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in Linux Kernel up to 6.13.2. It has been rated as critical. This issue affects the function open/close of the component synaptics. The manipulation with an unknown input leads to a denial of service vulnerability. Using CWE to declare the problem leads to CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. Impacted is availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: Input: synaptics - fix crash when enabling pass-through port When enabling a pass-through port an interrupt might come before psmouse driver binds to the pass-through port. However synaptics sub-driver tries to access psmouse instance presumably associated with the pass-through port to figure out if only 1 byte of response or entire protocol packet needs to be forwarded to the pass-through port and may crash if psmouse instance has not been attached to the port yet. Fix the crash by introducing open() and close() methods for the port and check if the port is open before trying to access psmouse instance. Because psmouse calls serio_open() only after attaching psmouse instance to serio port instance this prevents the potential crash.

The advisory is shared at git.kernel.org. The identification of this vulnerability is CVE-2025-21746 since 12/29/2024. Technical details are known, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 230828 (Linux Distros Unpatched Vulnerability : CVE-2025-21746), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.13.3 or 6.14-rc1 eliminates this vulnerability. Applying the patch 87da1ea93ec9f9f0004e5b12e78789bc94e360bf/08bd5b7c9a2401faabdaa1472d45c7de0755fd7e is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (230828) and CERT Bund (WID-SEC-2025-0453). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Affected

• Google Container-Optimized OS
• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• Siemens SIMATIC S7
• RESF Rocky Linux
• Dell NetWorker
• Dell Avamar
• Red Hat OpenShift
• IBM QRadar SIEM
• SolarWinds Security Event Manager
• Dell PowerProtect Data Domain
• Open Source Linux Kernel
• IBM DataPower Gateway
• Dell Secure Connect Gateway
• Dell PowerScale OneFS
• Dell ECS

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.13.0
• 6.13.1
• 6.13.2

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion