Zero Day MonitorZDM

← Back to list

5.5

CVE-2025-21859PATCHED

linux · linux_kernel

In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When using USB MIDI, a lock is attempted to be acquired twice through a re

Description

In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When using USB MIDI, a lock is attempted to be acquired twice through a re-entrant call to f_midi_transmit, causing a deadlock. Fix it by using queue_work() to schedule the inner f_midi_transmit() via a high priority work queue from the completion handler.

Affected Products

Vendor	Product	Versions
linux	linux_kernel	< 6.1.130, < 6.6.80, < 6.12.17, < 6.13.5

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
amazon	amazon linux	cert_advisory	90%
canonical	ubuntu linux	cert_advisory	90%
debian	debian linux	cert_advisory	90%
google	google container-optimized os	cert_advisory	90%
open source	open source linux kernel	cert_advisory	90%

References

Related News (1 articles)

Tier B

BSI Advisories2h ago

[UPDATE] [hoch] Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service

→ No new info (linked only)

CVSS 3.15.5 MEDIUM

VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

6.1.1306.6.806.12.176.13.5

CWECWE-667, CWE-667

PublishedMar 12, 2025

Last enriched8d ago

Trending Score23

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-23400EXP

In the Linux kernel, the following vulnerability has been resolved: rust_binder: call set_notification_done() without proc lock Consider the following sequence of events on a death listener: 1. The

HIGHCVE-2026-23406EXP

apparmor: fix side-effect bug in match_char() macro usage

HIGHCVE-2026-23398EXP

In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_d

NONECVE-2026-31410EXP

ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION

NONECVE-2026-31411

net: atm: fix crash due to unvalidated vcc pointer in sigd_send()

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 12, 2025

Patch Available

Nov 3, 2025

Discovered by ZDM

Apr 1, 2026