{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21902", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.785Z", "datePublished": "2025-04-01T15:40:44.425Z", "dateUpdated": "2025-05-04T07:23:51.470Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:23:51.470Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nacpi: typec: ucsi: Introduce a ->poll_cci method\n\nFor the ACPI backend of UCSI the UCSI \"registers\" are just a memory copy\nof the register values in an opregion. The ACPI implementation in the\nBIOS ensures that the opregion contents are synced to the embedded\ncontroller and it ensures that the registers (in particular CCI) are\nsynced back to the opregion on notifications. While there is an ACPI call\nthat syncs the actual registers to the opregion there is rarely a need to\ndo this and on some ACPI implementations it actually breaks in various\ninteresting ways.\n\nThe only reason to force a sync from the embedded controller is to poll\nCCI while notifications are disabled. Only the ucsi core knows if this\nis the case and guessing based on the current command is suboptimal, i.e.\nleading to the following spurious assertion splat:\n\nWARNING: CPU: 3 PID: 76 at drivers/usb/typec/ucsi/ucsi.c:1388 ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi]\nCPU: 3 UID: 0 PID: 76 Comm: kworker/3:0 Not tainted 6.12.11-200.fc41.x86_64 #1\nHardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN45WW 03/17/2023\nWorkqueue: events_long ucsi_init_work [typec_ucsi]\nRIP: 0010:ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi]\nCall Trace:\n <TASK>\n ucsi_init_work+0x3c/0xac0 [typec_ucsi]\n process_one_work+0x179/0x330\n worker_thread+0x252/0x390\n kthread+0xd2/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nThus introduce a ->poll_cci() method that works like ->read_cci() with an\nadditional forced sync and document that this should be used when polling\nwith notifications disabled. For all other backends that presumably don't\nhave this issue use the same implementation for both methods."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/typec/ucsi/ucsi.c", "drivers/usb/typec/ucsi/ucsi.h", "drivers/usb/typec/ucsi/ucsi_acpi.c", "drivers/usb/typec/ucsi/ucsi_ccg.c", "drivers/usb/typec/ucsi/ucsi_glink.c", "drivers/usb/typec/ucsi/ucsi_stm32g0.c", "drivers/usb/typec/ucsi/ucsi_yoga_c630.c"], "versions": [{"version": "c0ca6fd5f6ebde8fc0df8bb5c32629d1284f60d0", "lessThan": "012b98cdb54c7d47743ee7fc402fa23f2d90529a", "status": "affected", "versionType": "git"}, {"version": "fa48d7e81624efdf398b990a9049e9cd75a5aead", "lessThan": "1aec5c9066965ac0984e385bbc31455ae31cbffc", "status": "affected", "versionType": "git"}, {"version": "fa48d7e81624efdf398b990a9049e9cd75a5aead", "lessThan": "976e7e9bdc7719a023a4ecccd2e3daec9ab20a40", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/typec/ucsi/ucsi.c", "drivers/usb/typec/ucsi/ucsi.h", "drivers/usb/typec/ucsi/ucsi_acpi.c", "drivers/usb/typec/ucsi/ucsi_ccg.c", "drivers/usb/typec/ucsi/ucsi_glink.c", "drivers/usb/typec/ucsi/ucsi_stm32g0.c", "drivers/usb/typec/ucsi/ucsi_yoga_c630.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.19", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.7", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.5", "versionEndExcluding": "6.12.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.13.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/012b98cdb54c7d47743ee7fc402fa23f2d90529a"}, {"url": "https://git.kernel.org/stable/c/1aec5c9066965ac0984e385bbc31455ae31cbffc"}, {"url": "https://git.kernel.org/stable/c/976e7e9bdc7719a023a4ecccd2e3daec9ab20a40"}], "title": "acpi: typec: ucsi: Introduce a ->poll_cci method", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "32C54FE1-D058-4565-9F5B-4B599C9615BF", "versionEndExcluding": "6.12.19", "versionStartIncluding": "6.12.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "842F5A44-3E71-4546-B4FD-43B0ACE3F32B", "versionEndExcluding": "6.13.7", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*", "matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*", "matchCriteriaId": "45B90F6B-BEC7-4D4E-883A-9DBADE021750", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nacpi: typec: ucsi: Introduce a ->poll_cci method\n\nFor the ACPI backend of UCSI the UCSI \"registers\" are just a memory copy\nof the register values in an opregion. The ACPI implementation in the\nBIOS ensures that the opregion contents are synced to the embedded\ncontroller and it ensures that the registers (in particular CCI) are\nsynced back to the opregion on notifications. While there is an ACPI call\nthat syncs the actual registers to the opregion there is rarely a need to\ndo this and on some ACPI implementations it actually breaks in various\ninteresting ways.\n\nThe only reason to force a sync from the embedded controller is to poll\nCCI while notifications are disabled. Only the ucsi core knows if this\nis the case and guessing based on the current command is suboptimal, i.e.\nleading to the following spurious assertion splat:\n\nWARNING: CPU: 3 PID: 76 at drivers/usb/typec/ucsi/ucsi.c:1388 ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi]\nCPU: 3 UID: 0 PID: 76 Comm: kworker/3:0 Not tainted 6.12.11-200.fc41.x86_64 #1\nHardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN45WW 03/17/2023\nWorkqueue: events_long ucsi_init_work [typec_ucsi]\nRIP: 0010:ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi]\nCall Trace:\n <TASK>\n ucsi_init_work+0x3c/0xac0 [typec_ucsi]\n process_one_work+0x179/0x330\n worker_thread+0x252/0x390\n kthread+0xd2/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nThus introduce a ->poll_cci() method that works like ->read_cci() with an\nadditional forced sync and document that this should be used when polling\nwith notifications disabled. For all other backends that presumably don't\nhave this issue use the same implementation for both methods."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: acpi: typec: ucsi: Introducir un m\u00e9todo -&gt;poll_cci. Para el backend ACPI de UCSI, los \"registros\" UCSI son simplemente una copia en memoria de los valores de registro en una regi\u00f3n operativa. La implementaci\u00f3n de ACPI en la BIOS garantiza que el contenido de la regi\u00f3n operativa se sincronice con el controlador integrado y que los registros (en particular, CCI) se sincronicen con la regi\u00f3n operativa en las notificaciones. Si bien existe una llamada ACPI que sincroniza los registros con la regi\u00f3n operativa, rara vez es necesario hacerlo y, en algunas implementaciones de ACPI, falla de diversas maneras interesantes. La \u00fanica raz\u00f3n para forzar una sincronizaci\u00f3n desde el controlador integrado es sondear CCI mientras las notificaciones est\u00e1n deshabilitadas. Solo el n\u00facleo ucsi sabe si este es el caso y las suposiciones basadas en el comando actual no son \u00f3ptimas, es decir, conducen al siguiente mensaje de afirmaci\u00f3n falsa: ADVERTENCIA: CPU: 3 PID: 76 en drivers/usb/typec/ucsi/ucsi.c:1388 ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi] CPU: 3 UID: 0 PID: 76 Comm: kworker/3:0 No contaminado 6.12.11-200.fc41.x86_64 #1 Nombre del hardware: LENOVO 21D0/LNVNB161216, BIOS J6CN45WW 17/03/2023 Cola de trabajo: events_long ucsi_init_work [typec_ucsi] RIP: 0010:ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi] Seguimiento de llamadas: ucsi_init_work+0x3c/0xac0 [typec_ucsi] process_one_work+0x179/0x330 workers_thread+0x252/0x390 kthread+0xd2/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 Por lo tanto, introduzca un m\u00e9todo -&gt;poll_cci() que funcione como -&gt;read_cci() con una sincronizaci\u00f3n forzada adicional y documente que debe usarse al sondear con las notificaciones deshabilitadas. Para todos los dem\u00e1s backends que presumiblemente no presenten este problema, utilice la misma implementaci\u00f3n para ambos m\u00e9todos."}], "id": "CVE-2025-21902", "lastModified": "2025-10-31T18:51:38.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-01T16:15:20.650", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/012b98cdb54c7d47743ee7fc402fa23f2d90529a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1aec5c9066965ac0984e385bbc31455ae31cbffc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/976e7e9bdc7719a023a4ecccd2e3daec9ab20a40"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: acpi: typec: ucsi: Introduce a ->poll_cci method", "id": "2356647", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2356647"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nacpi: typec: ucsi: Introduce a ->poll_cci method\nFor the ACPI backend of UCSI the UCSI \"registers\" are just a memory copy\nof the register values in an opregion. The ACPI implementation in the\nBIOS ensures that the opregion contents are synced to the embedded\ncontroller and it ensures that the registers (in particular CCI) are\nsynced back to the opregion on notifications. While there is an ACPI call\nthat syncs the actual registers to the opregion there is rarely a need to\ndo this and on some ACPI implementations it actually breaks in various\ninteresting ways.\nThe only reason to force a sync from the embedded controller is to poll\nCCI while notifications are disabled. Only the ucsi core knows if this\nis the case and guessing based on the current command is suboptimal, i.e.\nleading to the following spurious assertion splat:\nWARNING: CPU: 3 PID: 76 at drivers/usb/typec/ucsi/ucsi.c:1388 ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi]\nCPU: 3 UID: 0 PID: 76 Comm: kworker/3:0 Not tainted 6.12.11-200.fc41.x86_64 #1\nHardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN45WW 03/17/2023\nWorkqueue: events_long ucsi_init_work [typec_ucsi]\nRIP: 0010:ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi]\nCall Trace:\n<TASK>\nucsi_init_work+0x3c/0xac0 [typec_ucsi]\nprocess_one_work+0x179/0x330\nworker_thread+0x252/0x390\nkthread+0xd2/0x100\nret_from_fork+0x34/0x50\nret_from_fork_asm+0x1a/0x30\n</TASK>\nThus introduce a ->poll_cci() method that works like ->read_cci() with an\nadditional forced sync and document that this should be used when polling\nwith notifications disabled. For all other backends that presumably don't\nhave this issue use the same implementation for both methods."], "name": "CVE-2025-21902", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21902\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21902\nhttps://lore.kernel.org/linux-cve-announce/2025040126-CVE-2025-21902-ce66@gregkh/T"], "threat_severity": "Low"}