CVE-2025-21652: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix use-after-free in ipvlan_get_iflink(). syzbot presented an use-after-free report [0] regarding ipvlan and linkwatch. ipvlan does not hold a refcnt of the lower device unlike vlan and macvlan. If the linkwatch work is triggered for the ipvlan dev, the lower dev might have already been freed, resulting in UAF of ipvlan->phy_dev in ipvlan_get_iflink(). We can delay the lower dev unregistration like vlan and macvlan by holding the lower dev's refcnt in dev->netdev_ops->ndo_init() and releasing it in dev->priv_destructor(). Jakub pointed out calling .ndo_XXX after unregister_netdevice() has returned is error prone and suggested [1] addressing this UAF in the core by taking commit 750e51603395 ("net: avoid potential UAF in default_operstate()") further. Let's assume unregistering devices DOWN and use RCU protection in default_operstate() not to race with the device unregistration. [0]: BUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 Read of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944 CPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47 Hardware name: linux,dummy-virt (DT) Workqueue: events_unbound linkwatch_event Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380 ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 dev_get_iflink+0x7c/0xd8 net/core/dev.c:674 default_operstate net/core/link_watch.c:45 [inline] rfc2863_policy+0x144/0x360 net/core/link_watch.c:72 linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175 __linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239 linkwatch_event+0x64/0xa8 net/core/link_watch.c:282 process_one_work+0x700/0x1398 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391 kthread+0x2b0/0x360 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 Allocated by task 9303: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4283 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650 alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209 rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771 __rtnl_newlink net/core/rtnetlink.c:3896 [inline] rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] __sys_sendto+0x2ec/0x438 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __arm64_sys_sendto+0xe4/0x110 net/socket.c:2200 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el ---truncated---
AI Analysis
Technical Summary
CVE-2025-21652 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's ipvlan network driver. The issue arises because ipvlan does not maintain a reference count on its lower network device, unlike similar drivers such as vlan and macvlan. When the linkwatch workqueue triggers operations on the ipvlan device, the lower device it depends on may have already been freed, leading to a use-after-free condition in the function ipvlan_get_iflink(). This vulnerability was initially reported by syzbot, a kernel fuzzing infrastructure, and confirmed through Kernel Address Sanitizer (KASAN) reports. The root cause is that ipvlan's implementation allows the lower device to be unregistered and freed while still being accessed asynchronously by linkwatch, causing a race condition. The fix involves delaying the unregistration of the lower device by holding its reference count during device initialization and releasing it upon device destruction, similar to vlan and macvlan drivers. Additionally, improvements in the core networking code were suggested to avoid calling network device operations after device unregistration by using Read-Copy-Update (RCU) protection and ensuring devices are unregistered in the DOWN state. The vulnerability affects Linux kernel versions around 6.13.0-rc2 and likely other versions with similar ipvlan implementations. The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability with low attack complexity but requiring local privileges and no user interaction. Exploitation could allow an attacker with local access and privileges to execute arbitrary code or cause denial of service by triggering the use-after-free condition, potentially compromising system stability and security.
Potential Impact
For European organizations, this vulnerability poses significant risks especially in environments heavily reliant on Linux-based infrastructure, including cloud providers, telecommunications, financial institutions, and critical infrastructure sectors. The ipvlan driver is commonly used in containerized and virtualized networking setups to provide efficient Layer 2 connectivity. Exploitation could lead to privilege escalation, arbitrary code execution within the kernel context, or denial of service, impacting confidentiality, integrity, and availability of critical systems. Given the widespread adoption of Linux in European data centers and enterprise environments, successful exploitation could disrupt services, lead to data breaches, or enable lateral movement within networks. Organizations running container orchestration platforms (e.g., Kubernetes) or virtualized network functions that utilize ipvlan are particularly at risk. The vulnerability requires local access and privileges, so insider threats or compromised user accounts could be leveraged to exploit this flaw. The absence of known exploits in the wild currently reduces immediate risk, but the high severity and kernel-level impact necessitate prompt remediation to prevent future attacks.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2025-21652 as soon as they become available from trusted sources or Linux distribution vendors. 2. For organizations using custom or long-term support kernels, backport the fix or upgrade to a patched kernel version to ensure the ipvlan driver holds proper reference counts on lower devices. 3. Implement strict access controls and monitoring on systems with ipvlan-enabled interfaces to limit local privilege escalation opportunities. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 5. Review and restrict usage of ipvlan interfaces where possible, considering alternative network drivers like macvlan or vlan if they meet operational requirements and are less vulnerable. 6. Monitor system logs and kernel messages for unusual linkwatch or network device activity that could indicate attempts to exploit this vulnerability. 7. Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation. 8. Educate system administrators and DevOps teams about the risks associated with ipvlan and the importance of timely kernel updates.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-21652: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix use-after-free in ipvlan_get_iflink(). syzbot presented an use-after-free report [0] regarding ipvlan and linkwatch. ipvlan does not hold a refcnt of the lower device unlike vlan and macvlan. If the linkwatch work is triggered for the ipvlan dev, the lower dev might have already been freed, resulting in UAF of ipvlan->phy_dev in ipvlan_get_iflink(). We can delay the lower dev unregistration like vlan and macvlan by holding the lower dev's refcnt in dev->netdev_ops->ndo_init() and releasing it in dev->priv_destructor(). Jakub pointed out calling .ndo_XXX after unregister_netdevice() has returned is error prone and suggested [1] addressing this UAF in the core by taking commit 750e51603395 ("net: avoid potential UAF in default_operstate()") further. Let's assume unregistering devices DOWN and use RCU protection in default_operstate() not to race with the device unregistration. [0]: BUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 Read of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944 CPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47 Hardware name: linux,dummy-virt (DT) Workqueue: events_unbound linkwatch_event Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380 ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 dev_get_iflink+0x7c/0xd8 net/core/dev.c:674 default_operstate net/core/link_watch.c:45 [inline] rfc2863_policy+0x144/0x360 net/core/link_watch.c:72 linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175 __linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239 linkwatch_event+0x64/0xa8 net/core/link_watch.c:282 process_one_work+0x700/0x1398 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391 kthread+0x2b0/0x360 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 Allocated by task 9303: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4283 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650 alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209 rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771 __rtnl_newlink net/core/rtnetlink.c:3896 [inline] rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] __sys_sendto+0x2ec/0x438 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __arm64_sys_sendto+0xe4/0x110 net/socket.c:2200 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21652 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's ipvlan network driver. The issue arises because ipvlan does not maintain a reference count on its lower network device, unlike similar drivers such as vlan and macvlan. When the linkwatch workqueue triggers operations on the ipvlan device, the lower device it depends on may have already been freed, leading to a use-after-free condition in the function ipvlan_get_iflink(). This vulnerability was initially reported by syzbot, a kernel fuzzing infrastructure, and confirmed through Kernel Address Sanitizer (KASAN) reports. The root cause is that ipvlan's implementation allows the lower device to be unregistered and freed while still being accessed asynchronously by linkwatch, causing a race condition. The fix involves delaying the unregistration of the lower device by holding its reference count during device initialization and releasing it upon device destruction, similar to vlan and macvlan drivers. Additionally, improvements in the core networking code were suggested to avoid calling network device operations after device unregistration by using Read-Copy-Update (RCU) protection and ensuring devices are unregistered in the DOWN state. The vulnerability affects Linux kernel versions around 6.13.0-rc2 and likely other versions with similar ipvlan implementations. The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability with low attack complexity but requiring local privileges and no user interaction. Exploitation could allow an attacker with local access and privileges to execute arbitrary code or cause denial of service by triggering the use-after-free condition, potentially compromising system stability and security.
Potential Impact
For European organizations, this vulnerability poses significant risks especially in environments heavily reliant on Linux-based infrastructure, including cloud providers, telecommunications, financial institutions, and critical infrastructure sectors. The ipvlan driver is commonly used in containerized and virtualized networking setups to provide efficient Layer 2 connectivity. Exploitation could lead to privilege escalation, arbitrary code execution within the kernel context, or denial of service, impacting confidentiality, integrity, and availability of critical systems. Given the widespread adoption of Linux in European data centers and enterprise environments, successful exploitation could disrupt services, lead to data breaches, or enable lateral movement within networks. Organizations running container orchestration platforms (e.g., Kubernetes) or virtualized network functions that utilize ipvlan are particularly at risk. The vulnerability requires local access and privileges, so insider threats or compromised user accounts could be leveraged to exploit this flaw. The absence of known exploits in the wild currently reduces immediate risk, but the high severity and kernel-level impact necessitate prompt remediation to prevent future attacks.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2025-21652 as soon as they become available from trusted sources or Linux distribution vendors. 2. For organizations using custom or long-term support kernels, backport the fix or upgrade to a patched kernel version to ensure the ipvlan driver holds proper reference counts on lower devices. 3. Implement strict access controls and monitoring on systems with ipvlan-enabled interfaces to limit local privilege escalation opportunities. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 5. Review and restrict usage of ipvlan interfaces where possible, considering alternative network drivers like macvlan or vlan if they meet operational requirements and are less vulnerable. 6. Monitor system logs and kernel messages for unusual linkwatch or network device activity that could indicate attempts to exploit this vulnerability. 7. Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation. 8. Educate system administrators and DevOps teams about the risks associated with ipvlan and the importance of timely kernel updates.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.729Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9738
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 7/3/2025, 5:40:55 AM
Last updated: 8/16/2025, 2:57:21 PM
Views: 13
Related Threats
CVE-2025-9087: Stack-based Buffer Overflow in Tenda AC20
HighTop Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.