Is CVE-2025-21906 actively exploited?

CVE-2025-21906 has no public evidence of in-the-wild exploitation as of 2025-10-31.

What is the CVSS score for CVE-2025-21906?

CVE-2025-21906 has a CVSS score of 5.5 (MEDIUM severity). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

How do I patch CVE-2025-21906?

Patch guidance is available from linux security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2025-21906.

CVE-2025-21906 - remediation guidance & executive summary

Q: Which products are affected by CVE-2025-21906?

7 products: linux linux kernel, linux linux kernel, linux linux kernel, linux linux kernel, linux linux kernel, and 2 more.

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: clean up ROC on failure If the firmware fails to start the session protection, then we do call iwl_mvm_roc_finished() here, but that won't do anything at all because IWL_MVM_STATUS_ROC_P2P_RUNNING was never set. Set IWL_MVM_STATUS_ROC_P2P_RUNNING in the failure/stop path. If it started successfully before, it's already set, so that doesn't matter, and if it didn't start it needs to be set to clean up. Not doing so will lead to a WARN_ON() later on a fresh remain- on-channel, since the link is already active when activated as it was never deactivated.

CVSS Metrics

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector: local
Complexity: low
Privileges: low
User Action: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high
Weaknesses: CWE-665

Metadata

Primary Vendor: LINUX
Published: 4/1/2025
Last Modified: 10/31/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

linux : linux_kernellinux : linux_kernellinux : linux_kernellinux : linux_kernellinux : linux_kernellinux : linux_kernellinux : linux_kernel

Remediation Guidance

Executive Summary

View on NIST NVD