vulnerability

Red Hat: CVE-2025-21689: kernel: USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() (Multiple Advisories)

Name: Red Hat: CVE-2025-21689: kernel: USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() (Multiple Advisories)
Creator: Red Hat
Published: 2025-02-10T00:00:00.000Z
Keywords: CVE, CWE-476, Red Hat, 2025, 21689, kernel, redhat-upgrade-kernel, redhat-upgrade-kernel-rt, Severity 5

Try Surface Command

Back to search

Severity

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

Feb 10, 2025

Added

May 15, 2025

Modified

Jun 17, 2026

Description

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()

This patch addresses a null-ptr-deref in qt2_process_read_urb() due to
an incorrect bounds check in the following:

if (newport > serial->num_ports) {
dev_err(&port->dev,
"%s - port change to invalid port: %i\n",
__func__, newport);
break;
}

The condition doesn't account for the valid range of the serial->port
buffer, which is from 0 to serial->num_ports - 1. When newport is equal
to serial->num_ports, the assignment of "port" in the
following code is out-of-bounds and NULL:

serial_priv->current_port = newport;
port = serial->port[serial_priv->current_port];

The fix checks if newport is greater than or equal to serial->num_ports
indicating it is out-of-bounds.

Solutions

redhat-upgrade-kernelredhat-upgrade-kernel-rt

References

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report