CVE-2025-21685

Summary

CVE-2025-21685 is a vulnerability in the Linux kernel affecting the Lenovo Yoga Tab 2 Pro Fast Charger. The issue lies in the yt2_1380_fc_serdev_probe() function, which calls devm_serdev_device_open() before setting the client ops. This ordering can lead to a NULL pointer dereference in the serdev controller's receive_buf handler, assuming serdev->ops is valid when SERPORT_ACTIVE is set. This vulnerability is similar to one addressed in commit 5e700b384ec1, where devm_serdev_device_open() was called prematurely. To mitigate this race condition, the client ops must be set prior to enabling the port via devm_serdev_device_open(). Additionally, serdev_device_set_baudrate() and serdev_device_set_flow_control() calls should follow the devm_serdev_device_open() call.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.