CVE-2025-21674: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel Attempt to enable IPsec packet offload in tunnel mode in debug kernel generates the following kernel panic, which is happening due to two issues: 1. In SA add section, the should be _bh() variant when marking SA mode. 2. There is not needed flush_workqueue in SA delete routine. It is not needed as at this stage as it is removed from SADB and the running work will be canceled later in SA free. ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 6.12.0+ #4 Not tainted ----------------------------------------------------- charon/1337 [HC0[0]:SC0[4]:HE1:SE0] is trying to acquire: ffff88810f365020 (&xa->xa_lock#24){+.+.}-{3:3}, at: mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core] and this task is already holding: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 which would create a new lock dependency: (&x->lock){+.-.}-{3:3} -> (&xa->xa_lock#24){+.+.}-{3:3} but this new dependency connects a SOFTIRQ-irq-safe lock: (&x->lock){+.-.}-{3:3} ... which became SOFTIRQ-irq-safe at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 hrtimer_run_softirq+0x146/0x2e0 handle_softirqs+0x266/0x860 irq_exit_rcu+0x115/0x1a0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 default_idle+0x13/0x20 default_idle_call+0x67/0xa0 do_idle+0x2da/0x320 cpu_startup_entry+0x50/0x60 start_secondary+0x213/0x2a0 common_startup_64+0x129/0x138 to a SOFTIRQ-irq-unsafe lock: (&xa->xa_lock#24){+.+.}-{3:3} ... which became SOFTIRQ-irq-unsafe at: ... lock_acquire+0x1be/0x520 _raw_spin_lock+0x2c/0x40 xa_set_mark+0x70/0x110 mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core] xfrm_dev_state_add+0x3bb/0xd70 xfrm_add_sa+0x2451/0x4a90 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xa->xa_lock#24); local_irq_disable(); lock(&x->lock); lock(&xa->xa_lock#24); <Interrupt> lock(&x->lock); *** DEADLOCK *** 2 locks held by charon/1337: #0: ffffffff87f8f858 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{4:4}, at: xfrm_netlink_rcv+0x5e/0x90 #1: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -> (&x->lock){+.-.}-{3:3} ops: 29 { HARDIRQ-ON-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_alloc_spi+0xc0/0xe60 xfrm_alloc_userspi+0x5f6/0xbc0 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 IN-SOFTIRQ-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 ---truncated---
AI Analysis
Technical Summary
CVE-2025-21674 is a vulnerability identified in the Linux kernel specifically related to the mlx5e network driver and its handling of IPsec tunnel mode packet offloading. The issue arises when enabling IPsec packet offload in tunnel mode on a debug kernel, which leads to a kernel panic due to improper locking mechanisms and concurrency control. The root cause involves two main problems: first, the use of an incorrect locking variant (_bh() variant) when marking Security Associations (SA) mode during the SA add operation; second, an unnecessary flush_workqueue call in the SA delete routine that is redundant and potentially harmful since the SA is already removed from the Security Association Database (SADB) and any running work will be canceled during SA free. The vulnerability manifests as a deadlock caused by an inversion in lock dependencies between SOFTIRQ-safe and SOFTIRQ-unsafe locks. Specifically, the mlx5_core module attempts to acquire the xa_lock (an irq-unsafe lock) while holding another lock (x->lock) that is irq-safe, creating a circular dependency that can lead to a kernel panic. The detailed lock dependency chain shows that the deadlock can occur when concurrent CPU cores attempt to acquire these locks in conflicting orders, with one CPU holding xa_lock and the other holding x->lock, and an interrupt triggering lock acquisition in the opposite order. This scenario is particularly dangerous because it occurs in the networking stack's IPsec implementation, which is critical for secure communications. The vulnerability affects Linux kernel versions identified by the commit hash 4c24272b4e2befca6ad1409c3c9aaa16c24b1099 and likely subsequent versions until patched. Although no known exploits are currently reported in the wild, the issue can cause denial of service through kernel panics, impacting system availability and potentially leading to system crashes in environments relying on IPsec offloading with mlx5e drivers. This vulnerability is complex and requires deep kernel and networking knowledge to understand and mitigate effectively.
Potential Impact
For European organizations, the impact of CVE-2025-21674 can be significant, especially for those utilizing Linux servers with Mellanox (mlx5e) network interfaces and IPsec tunnel offloading enabled. IPsec is widely used in Europe for securing VPNs, remote access, and inter-site communications, particularly in sectors such as finance, government, telecommunications, and critical infrastructure. A kernel panic resulting from this vulnerability leads to system crashes and service outages, which can disrupt business operations, cause loss of productivity, and impact service availability. Organizations relying on high availability and secure communications may face increased operational risks. Furthermore, the complexity of the vulnerability and its occurrence in kernel-level networking code means that recovery may require system reboots and patching, potentially causing downtime. Although no active exploitation is known, the vulnerability's presence in widely deployed Linux kernels means that attackers with sufficient knowledge could develop exploits, increasing the risk over time. The confidentiality and integrity of data are less directly impacted since this is primarily a denial-of-service condition, but availability degradation can indirectly affect security posture and compliance with regulations such as GDPR if services are disrupted.
Mitigation Recommendations
Mitigation of CVE-2025-21674 requires applying the official patches provided by the Linux kernel maintainers that correct the locking order and remove unnecessary flush_workqueue calls in the mlx5e driver and IPsec tunnel offload code. Organizations should: 1) Identify all Linux systems using Mellanox mlx5e network drivers with IPsec tunnel offloading enabled, especially those running debug kernels or custom kernel builds. 2) Update affected Linux kernels to the latest stable versions that include the fix for this vulnerability. 3) If immediate patching is not possible, consider disabling IPsec packet offloading in tunnel mode as a temporary workaround to prevent triggering the deadlock. 4) Monitor kernel logs for warnings related to lock inversions or kernel panics associated with mlx5e and IPsec components. 5) Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment in production. 6) Engage with hardware and software vendors for guidance on firmware or driver updates that may complement kernel patches. 7) Implement robust system monitoring and automated reboot mechanisms to minimize downtime in case of unexpected kernel panics. These steps go beyond generic advice by focusing on the specific driver and feature involved, emphasizing the importance of kernel version management and operational controls in mitigating this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2025-21674: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel Attempt to enable IPsec packet offload in tunnel mode in debug kernel generates the following kernel panic, which is happening due to two issues: 1. In SA add section, the should be _bh() variant when marking SA mode. 2. There is not needed flush_workqueue in SA delete routine. It is not needed as at this stage as it is removed from SADB and the running work will be canceled later in SA free. ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 6.12.0+ #4 Not tainted ----------------------------------------------------- charon/1337 [HC0[0]:SC0[4]:HE1:SE0] is trying to acquire: ffff88810f365020 (&xa->xa_lock#24){+.+.}-{3:3}, at: mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core] and this task is already holding: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 which would create a new lock dependency: (&x->lock){+.-.}-{3:3} -> (&xa->xa_lock#24){+.+.}-{3:3} but this new dependency connects a SOFTIRQ-irq-safe lock: (&x->lock){+.-.}-{3:3} ... which became SOFTIRQ-irq-safe at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 hrtimer_run_softirq+0x146/0x2e0 handle_softirqs+0x266/0x860 irq_exit_rcu+0x115/0x1a0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 default_idle+0x13/0x20 default_idle_call+0x67/0xa0 do_idle+0x2da/0x320 cpu_startup_entry+0x50/0x60 start_secondary+0x213/0x2a0 common_startup_64+0x129/0x138 to a SOFTIRQ-irq-unsafe lock: (&xa->xa_lock#24){+.+.}-{3:3} ... which became SOFTIRQ-irq-unsafe at: ... lock_acquire+0x1be/0x520 _raw_spin_lock+0x2c/0x40 xa_set_mark+0x70/0x110 mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core] xfrm_dev_state_add+0x3bb/0xd70 xfrm_add_sa+0x2451/0x4a90 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xa->xa_lock#24); local_irq_disable(); lock(&x->lock); lock(&xa->xa_lock#24); <Interrupt> lock(&x->lock); *** DEADLOCK *** 2 locks held by charon/1337: #0: ffffffff87f8f858 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{4:4}, at: xfrm_netlink_rcv+0x5e/0x90 #1: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -> (&x->lock){+.-.}-{3:3} ops: 29 { HARDIRQ-ON-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_alloc_spi+0xc0/0xe60 xfrm_alloc_userspi+0x5f6/0xbc0 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 IN-SOFTIRQ-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21674 is a vulnerability identified in the Linux kernel specifically related to the mlx5e network driver and its handling of IPsec tunnel mode packet offloading. The issue arises when enabling IPsec packet offload in tunnel mode on a debug kernel, which leads to a kernel panic due to improper locking mechanisms and concurrency control. The root cause involves two main problems: first, the use of an incorrect locking variant (_bh() variant) when marking Security Associations (SA) mode during the SA add operation; second, an unnecessary flush_workqueue call in the SA delete routine that is redundant and potentially harmful since the SA is already removed from the Security Association Database (SADB) and any running work will be canceled during SA free. The vulnerability manifests as a deadlock caused by an inversion in lock dependencies between SOFTIRQ-safe and SOFTIRQ-unsafe locks. Specifically, the mlx5_core module attempts to acquire the xa_lock (an irq-unsafe lock) while holding another lock (x->lock) that is irq-safe, creating a circular dependency that can lead to a kernel panic. The detailed lock dependency chain shows that the deadlock can occur when concurrent CPU cores attempt to acquire these locks in conflicting orders, with one CPU holding xa_lock and the other holding x->lock, and an interrupt triggering lock acquisition in the opposite order. This scenario is particularly dangerous because it occurs in the networking stack's IPsec implementation, which is critical for secure communications. The vulnerability affects Linux kernel versions identified by the commit hash 4c24272b4e2befca6ad1409c3c9aaa16c24b1099 and likely subsequent versions until patched. Although no known exploits are currently reported in the wild, the issue can cause denial of service through kernel panics, impacting system availability and potentially leading to system crashes in environments relying on IPsec offloading with mlx5e drivers. This vulnerability is complex and requires deep kernel and networking knowledge to understand and mitigate effectively.
Potential Impact
For European organizations, the impact of CVE-2025-21674 can be significant, especially for those utilizing Linux servers with Mellanox (mlx5e) network interfaces and IPsec tunnel offloading enabled. IPsec is widely used in Europe for securing VPNs, remote access, and inter-site communications, particularly in sectors such as finance, government, telecommunications, and critical infrastructure. A kernel panic resulting from this vulnerability leads to system crashes and service outages, which can disrupt business operations, cause loss of productivity, and impact service availability. Organizations relying on high availability and secure communications may face increased operational risks. Furthermore, the complexity of the vulnerability and its occurrence in kernel-level networking code means that recovery may require system reboots and patching, potentially causing downtime. Although no active exploitation is known, the vulnerability's presence in widely deployed Linux kernels means that attackers with sufficient knowledge could develop exploits, increasing the risk over time. The confidentiality and integrity of data are less directly impacted since this is primarily a denial-of-service condition, but availability degradation can indirectly affect security posture and compliance with regulations such as GDPR if services are disrupted.
Mitigation Recommendations
Mitigation of CVE-2025-21674 requires applying the official patches provided by the Linux kernel maintainers that correct the locking order and remove unnecessary flush_workqueue calls in the mlx5e driver and IPsec tunnel offload code. Organizations should: 1) Identify all Linux systems using Mellanox mlx5e network drivers with IPsec tunnel offloading enabled, especially those running debug kernels or custom kernel builds. 2) Update affected Linux kernels to the latest stable versions that include the fix for this vulnerability. 3) If immediate patching is not possible, consider disabling IPsec packet offloading in tunnel mode as a temporary workaround to prevent triggering the deadlock. 4) Monitor kernel logs for warnings related to lock inversions or kernel panics associated with mlx5e and IPsec components. 5) Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment in production. 6) Engage with hardware and software vendors for guidance on firmware or driver updates that may complement kernel patches. 7) Implement robust system monitoring and automated reboot mechanisms to minimize downtime in case of unexpected kernel panics. These steps go beyond generic advice by focusing on the specific driver and feature involved, emphasizing the importance of kernel version management and operational controls in mitigating this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.736Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe97b4
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 5:09:51 PM
Last updated: 8/17/2025, 5:55:57 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.