CVE-2025-21653: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute syzbot found that TCA_FLOW_RSHIFT attribute was not validated. Right shitfing a 32bit integer is undefined for large shift values. UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23 shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1771 [inline] tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 sfb_classify net/sched/sch_sfb.c:260 [inline] sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 __dev_xmit_skb net/core/dev.c:3889 [inline] __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 geneve_xmit_skb drivers/net/geneve.c:916 [inline] geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434
AI Analysis
Technical Summary
CVE-2025-21653 is a vulnerability identified in the Linux kernel's network scheduling subsystem, specifically within the cls_flow classifier component. The issue arises from improper validation of the TCA_FLOW_RSHIFT attribute, which controls right bit-shifting operations on 32-bit unsigned integers. The vulnerability was discovered by the syzbot fuzzing infrastructure, which detected that the attribute was not properly validated, allowing for excessively large shift values. Right-shifting a 32-bit integer by a value larger than or equal to 32 is undefined behavior in C, potentially causing unpredictable results including memory corruption or kernel crashes. The vulnerability manifests as a shift-out-of-bounds error detected by the Undefined Behavior Sanitizer (UBSAN) at net/sched/cls_flow.c line 329. The kernel call trace shows that the flaw occurs during packet classification and queuing operations, which are critical for network traffic management. Exploiting this flaw could lead to kernel instability or denial of service (DoS) conditions by triggering undefined behavior in the kernel's network scheduler. Although no known exploits are currently reported in the wild, the vulnerability affects Linux kernel versions prior to the patch and could be triggered by specially crafted network traffic that manipulates the TCA_FLOW_RSHIFT attribute. The vulnerability requires kernel-level processing of network packets and does not appear to require user authentication, but exploitation would likely require the ability to send or influence network traffic processed by the vulnerable kernel. The patch for this issue involves proper validation of the TCA_FLOW_RSHIFT attribute to ensure shift values remain within valid bounds, preventing undefined behavior.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those acting as network routers, firewalls, or other network infrastructure devices that utilize the cls_flow classifier for traffic shaping and classification. Successful exploitation could lead to kernel crashes, resulting in denial of service and potential disruption of critical network services. This could impact availability of services, particularly in environments relying heavily on Linux-based network appliances or servers. Confidentiality and integrity impacts are less direct but could arise if attackers leverage kernel instability to escalate privileges or bypass security controls. Given the widespread use of Linux in European data centers, cloud providers, and enterprise networks, the vulnerability could affect a broad range of sectors including telecommunications, finance, government, and critical infrastructure. The lack of known exploits reduces immediate risk, but the potential for DoS attacks or kernel panic events makes timely patching important to maintain network reliability and service continuity.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the patch for CVE-2025-21653. Since the vulnerability lies in the network scheduler's cls_flow module, organizations should audit their use of traffic control configurations involving TCA_FLOW_RSHIFT attributes and avoid using untrusted or malformed network traffic that could trigger the flaw. Network segmentation and filtering can help limit exposure by restricting access to vulnerable systems from untrusted networks. For critical infrastructure, consider deploying kernel live patching solutions to apply fixes without downtime. Monitoring kernel logs for UBSAN or related error messages can help detect attempted exploitation or instability. Additionally, organizations should review and harden network device configurations to minimize attack surface, including disabling unnecessary traffic classifiers if not in use. Collaboration with Linux distribution vendors to receive timely security updates and testing patches in staging environments before production deployment is recommended to ensure stability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2025-21653: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute syzbot found that TCA_FLOW_RSHIFT attribute was not validated. Right shitfing a 32bit integer is undefined for large shift values. UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23 shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1771 [inline] tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 sfb_classify net/sched/sch_sfb.c:260 [inline] sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 __dev_xmit_skb net/core/dev.c:3889 [inline] __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 geneve_xmit_skb drivers/net/geneve.c:916 [inline] geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434
AI-Powered Analysis
Technical Analysis
CVE-2025-21653 is a vulnerability identified in the Linux kernel's network scheduling subsystem, specifically within the cls_flow classifier component. The issue arises from improper validation of the TCA_FLOW_RSHIFT attribute, which controls right bit-shifting operations on 32-bit unsigned integers. The vulnerability was discovered by the syzbot fuzzing infrastructure, which detected that the attribute was not properly validated, allowing for excessively large shift values. Right-shifting a 32-bit integer by a value larger than or equal to 32 is undefined behavior in C, potentially causing unpredictable results including memory corruption or kernel crashes. The vulnerability manifests as a shift-out-of-bounds error detected by the Undefined Behavior Sanitizer (UBSAN) at net/sched/cls_flow.c line 329. The kernel call trace shows that the flaw occurs during packet classification and queuing operations, which are critical for network traffic management. Exploiting this flaw could lead to kernel instability or denial of service (DoS) conditions by triggering undefined behavior in the kernel's network scheduler. Although no known exploits are currently reported in the wild, the vulnerability affects Linux kernel versions prior to the patch and could be triggered by specially crafted network traffic that manipulates the TCA_FLOW_RSHIFT attribute. The vulnerability requires kernel-level processing of network packets and does not appear to require user authentication, but exploitation would likely require the ability to send or influence network traffic processed by the vulnerable kernel. The patch for this issue involves proper validation of the TCA_FLOW_RSHIFT attribute to ensure shift values remain within valid bounds, preventing undefined behavior.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those acting as network routers, firewalls, or other network infrastructure devices that utilize the cls_flow classifier for traffic shaping and classification. Successful exploitation could lead to kernel crashes, resulting in denial of service and potential disruption of critical network services. This could impact availability of services, particularly in environments relying heavily on Linux-based network appliances or servers. Confidentiality and integrity impacts are less direct but could arise if attackers leverage kernel instability to escalate privileges or bypass security controls. Given the widespread use of Linux in European data centers, cloud providers, and enterprise networks, the vulnerability could affect a broad range of sectors including telecommunications, finance, government, and critical infrastructure. The lack of known exploits reduces immediate risk, but the potential for DoS attacks or kernel panic events makes timely patching important to maintain network reliability and service continuity.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the patch for CVE-2025-21653. Since the vulnerability lies in the network scheduler's cls_flow module, organizations should audit their use of traffic control configurations involving TCA_FLOW_RSHIFT attributes and avoid using untrusted or malformed network traffic that could trigger the flaw. Network segmentation and filtering can help limit exposure by restricting access to vulnerable systems from untrusted networks. For critical infrastructure, consider deploying kernel live patching solutions to apply fixes without downtime. Monitoring kernel logs for UBSAN or related error messages can help detect attempted exploitation or instability. Additionally, organizations should review and harden network device configurations to minimize attack surface, including disabling unnecessary traffic classifiers if not in use. Collaboration with Linux distribution vendors to receive timely security updates and testing patches in staging environments before production deployment is recommended to ensure stability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.729Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe973c
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 4:28:01 PM
Last updated: 7/26/2025, 8:53:22 AM
Views: 12
Related Threats
CVE-2025-45146: n/a
CriticalCVE-2025-38213
LowCVE-2025-8859: Unrestricted Upload in code-projects eBlog Site
MediumCVE-2025-8865: CWE-476 NULL Pointer Dereference in YugabyteDB Inc YugabyteDB
MediumCVE-2025-8852: Information Exposure Through Error Message in WuKongOpenSource WukongCRM
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.