CVE-2025-21845 Linux CVE debrief

Who should care

Kernel maintainers, distro security teams, and operators of Linux systems that use the MTD SPI-NOR SST flash path should prioritize this advisory, especially where local users or services can trigger MTD writes.

Technical summary

The CVE description states that commit 18bcb4aa54ea introduced a regression in sst_nor_write_data(), where the function writes only one byte regardless of the number of bytes passed in. The result is a failed write and a kernel warning/crash during MTD write operations, with the provided trace showing the failure path through mtdchar_write() and sst_nor_write_data(). NVD lists affected kernel ranges as 6.12 through 6.12.17, 6.13 through 6.13.5, and 6.14 release candidates rc1 through rc3.

Defensive priority

Medium. The issue is primarily a local denial-of-service condition, but it affects core kernel storage paths and should be patched promptly on any system that exposes the affected MTD SPI-NOR SST code path.

Recommended defensive actions

• Apply the vendor or stable kernel fixes referenced in the official Git kernel patch links.
• Backport the fix to any supported kernel branches that include the affected SST SPI-NOR code.
• Upgrade to a kernel version outside the affected ranges listed by NVD where practical.
• Validate systems that use MTD write utilities or services against the affected flash path and confirm they no longer trigger warnings or crashes.
• Monitor kernel logs for sst_nor_write_data warnings or write failures after patching to confirm remediation.

Evidence notes

This debrief is based on the CVE description and NVD metadata supplied in the source corpus. The description explicitly identifies a regression in drivers/mtd/spi-nor/sst.c causing only one byte to be written and includes a crash trace. NVD metadata supplies the affected version criteria and CVSS vector, and the official Git kernel references indicate patches are available.

Official resources