CVE-2025-21957

scsi: qla1280: Fix kernel oops when debug level > 2

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: qla1280: Fix kernel oops when debug level > 2 A null dereference or oops exception will eventually occur when qla1280.c driver is compiled with DEBUG_QLA1280 enabled and ql_debug_level > 2. I think its clear from the code that the intention here is sg_dma_len(s) not length of sg_next(s) when printing the debug info.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/afa27b7c17a48e01546ccaad0ab017ad0496a522 patch
https://git.kernel.org/stable/c/11a8dac1177a596648a020a7f3708257a2f95fee patch
https://git.kernel.org/stable/c/c737e2a5fb7f90b96a96121da1b50a9c74ae9b8c patch
https://git.kernel.org/stable/c/24602e2664c515a4f2950d7b52c3d5997463418c patch
https://git.kernel.org/stable/c/ea371d1cdefb0951c7127a33bcd7eb931cf44571 patch
https://git.kernel.org/stable/c/af71ba921d08c241a817010f96458dc5e5e26762 patch
https://git.kernel.org/stable/c/7ac2473e727d67a38266b2b7e55c752402ab588c patch
https://git.kernel.org/stable/c/5233e3235dec3065ccc632729675575dbe3c6b8a patch

Frequently Asked Questions

What is the severity of CVE-2025-21957?
CVE-2025-21957 has been scored as a medium severity vulnerability.
How to fix CVE-2025-21957?
To fix CVE-2025-21957, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-21957 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-21957 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-21957?
CVE-2025-21957 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.