NULL Pointer Dereference Affecting linux-virt package, versions <6.12.12-r0


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.05% (14th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-MINIMOSLATEST-LINUXVIRT-13332084
  • published6 Oct 2025
  • disclosed31 Jan 2025

Introduced: 31 Jan 2025

CVE-2025-21669  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade Minimos:latest linux-virt to version 6.12.12-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream linux-virt package and not the linux-virt package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: discard packets if the transport changes

If the socket has been de-assigned or assigned to another transport, we must discard any packets received because they are not expected and would cause issues when we access vsk->transport.

A possible scenario is described by Hyunwoo Kim in the attached link, where after a first connect() interrupted by a signal, and a second connect() failed, we can find vsk-&gt;transport at NULL, leading to a NULL pointer dereference.

CVSS Base Scores

version 3.1