CVE-2025-21677: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: pfcp: Destroy device along with udp socket's netns dismantle. pfcp_newlink() links the device to a list in dev_net(dev) instead of net, where a udp tunnel socket is created. Even when net is removed, the device stays alive on dev_net(dev). Then, removing net triggers the splat below. [0] In this example, pfcp0 is created in ns2, but the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 name pfcp0 type pfcp ip netns del ns1 Let's link the device to the socket's netns instead. Now, pfcp_net_exit() needs another netdev iteration to remove all pfcp devices in the netns. pfcp_dev_list is not used under RCU, so the list API is converted to the non-RCU variant. pfcp_net_exit() can be converted to .exit_batch_rtnl() in net-next. [0]: ref_tracker: net notrefcnt@00000000128b34dc has 1/1 users at sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1558) udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) pfcp_create_sock (drivers/net/pfcp.c:168) pfcp_newlink (drivers/net/pfcp.c:182 drivers/net/pfcp.c:197) rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) netlink_rcv_skb (net/netlink/af_netlink.c:2542) netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) netlink_sendmsg (net/netlink/af_netlink.c:1891) ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) ___sys_sendmsg (net/socket.c:2639) __sys_sendmsg (net/socket.c:2669) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) WARNING: CPU: 1 PID: 11 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) Modules linked in: CPU: 1 UID: 0 PID: 11 Comm: kworker/u16:0 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 RSP: 0018:ff11000007f3fb60 EFLAGS: 00010286 RAX: 00000000000020ef RBX: ff1100000d6481e0 RCX: 1ffffffff0e40d82 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c RBP: ff1100000d648230 R08: 0000000000000001 R09: fffffbfff0e395af R10: 0000000000000001 R11: 0000000000000000 R12: ff1100000d648230 R13: dead000000000100 R14: ff1100000d648230 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005620e1363990 CR3: 000000000eeb2002 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn (kernel/panic.c:748) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:285) ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) ? kfree (mm/slub.c:4613 mm/slub.c:4761) net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) cleanup_net (net/cor ---truncated---
AI Analysis
Technical Summary
CVE-2025-21677 is a vulnerability in the Linux kernel related to the handling of PFCP (Packet Forwarding Control Protocol) network devices and UDP socket network namespaces (netns). The issue arises because the pfcp_newlink() function incorrectly links the PFCP device to a list in dev_net(dev) rather than the network namespace (net) where the UDP tunnel socket is created. This causes the device to remain alive even after the associated network namespace is removed, leading to a use-after-free or dangling pointer condition. Specifically, when a network namespace is deleted, the device linked to dev_net(dev) is not properly cleaned up, which triggers a kernel crash (splat) due to invalid references during netns teardown. The vulnerability is demonstrated by creating two network namespaces (ns1 and ns2), adding a PFCP device from ns1 to ns2, and then deleting ns1, which leads to the crash. The root cause is that the PFCP device list is not managed under Read-Copy-Update (RCU) synchronization, requiring conversion to non-RCU list APIs and additional iterations during netns exit to remove all PFCP devices correctly. The kernel panic and stack trace indicate a failure in reference tracking during netns cleanup, resulting in a kernel oops. This vulnerability affects Linux kernel versions around 6.13.0-rc5 and likely other versions using similar PFCP device handling code. No CVSS score is assigned yet, and no known exploits are reported in the wild. The issue is technical and specific to network namespace and PFCP device lifecycle management in the Linux kernel networking subsystem.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments running Linux kernels with PFCP support and using network namespaces extensively, such as telecom operators, cloud providers, and enterprises deploying containerized or virtualized network functions. Exploitation could lead to kernel crashes causing denial of service (DoS) on critical network infrastructure, impacting availability of services. Since PFCP is used in 5G core network components, telecom operators in Europe could face service disruptions or outages if vulnerable systems are exploited. Although no remote code execution or privilege escalation is indicated, the kernel panic could be triggered by crafted netlink messages or namespace manipulations, potentially by malicious insiders or attackers with local access. The impact on confidentiality and integrity is limited, but availability impact can be significant for network-dependent services. Organizations relying on Linux-based network functions virtualization (NFV) or containerized network stacks should be particularly cautious. The lack of known exploits reduces immediate risk, but the complexity of the bug and kernel panic potential means patching is critical to prevent accidental or malicious DoS.
Mitigation Recommendations
1. Apply the official Linux kernel patches addressing CVE-2025-21677 as soon as they become available, ensuring the pfcp device lifecycle is correctly managed during netns teardown. 2. For environments using custom or backported kernels, backport the fix related to pfcp_newlink() and pfcp_net_exit() functions to ensure devices are linked to the correct netns and cleaned up properly. 3. Limit the creation and deletion of network namespaces and PFCP devices to trusted administrators to reduce risk of accidental or malicious triggering of the vulnerability. 4. Implement monitoring of kernel logs for netns cleanup errors or kernel panics related to PFCP devices to detect potential exploitation attempts or misconfigurations. 5. In telecom or NFV environments, validate network function configurations to avoid cross-namespace device linking that could trigger the bug. 6. Employ kernel hardening and isolation techniques such as seccomp filters or namespace restrictions to limit the ability of unprivileged users or containers to manipulate network namespaces or PFCP devices. 7. Regularly update Linux kernels to latest stable releases to benefit from ongoing security fixes and improvements in network namespace management.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Finland, Poland, Belgium
CVE-2025-21677: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: pfcp: Destroy device along with udp socket's netns dismantle. pfcp_newlink() links the device to a list in dev_net(dev) instead of net, where a udp tunnel socket is created. Even when net is removed, the device stays alive on dev_net(dev). Then, removing net triggers the splat below. [0] In this example, pfcp0 is created in ns2, but the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 name pfcp0 type pfcp ip netns del ns1 Let's link the device to the socket's netns instead. Now, pfcp_net_exit() needs another netdev iteration to remove all pfcp devices in the netns. pfcp_dev_list is not used under RCU, so the list API is converted to the non-RCU variant. pfcp_net_exit() can be converted to .exit_batch_rtnl() in net-next. [0]: ref_tracker: net notrefcnt@00000000128b34dc has 1/1 users at sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1558) udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) pfcp_create_sock (drivers/net/pfcp.c:168) pfcp_newlink (drivers/net/pfcp.c:182 drivers/net/pfcp.c:197) rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) netlink_rcv_skb (net/netlink/af_netlink.c:2542) netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) netlink_sendmsg (net/netlink/af_netlink.c:1891) ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) ___sys_sendmsg (net/socket.c:2639) __sys_sendmsg (net/socket.c:2669) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) WARNING: CPU: 1 PID: 11 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) Modules linked in: CPU: 1 UID: 0 PID: 11 Comm: kworker/u16:0 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 RSP: 0018:ff11000007f3fb60 EFLAGS: 00010286 RAX: 00000000000020ef RBX: ff1100000d6481e0 RCX: 1ffffffff0e40d82 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c RBP: ff1100000d648230 R08: 0000000000000001 R09: fffffbfff0e395af R10: 0000000000000001 R11: 0000000000000000 R12: ff1100000d648230 R13: dead000000000100 R14: ff1100000d648230 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005620e1363990 CR3: 000000000eeb2002 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn (kernel/panic.c:748) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:285) ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) ? kfree (mm/slub.c:4613 mm/slub.c:4761) net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) cleanup_net (net/cor ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21677 is a vulnerability in the Linux kernel related to the handling of PFCP (Packet Forwarding Control Protocol) network devices and UDP socket network namespaces (netns). The issue arises because the pfcp_newlink() function incorrectly links the PFCP device to a list in dev_net(dev) rather than the network namespace (net) where the UDP tunnel socket is created. This causes the device to remain alive even after the associated network namespace is removed, leading to a use-after-free or dangling pointer condition. Specifically, when a network namespace is deleted, the device linked to dev_net(dev) is not properly cleaned up, which triggers a kernel crash (splat) due to invalid references during netns teardown. The vulnerability is demonstrated by creating two network namespaces (ns1 and ns2), adding a PFCP device from ns1 to ns2, and then deleting ns1, which leads to the crash. The root cause is that the PFCP device list is not managed under Read-Copy-Update (RCU) synchronization, requiring conversion to non-RCU list APIs and additional iterations during netns exit to remove all PFCP devices correctly. The kernel panic and stack trace indicate a failure in reference tracking during netns cleanup, resulting in a kernel oops. This vulnerability affects Linux kernel versions around 6.13.0-rc5 and likely other versions using similar PFCP device handling code. No CVSS score is assigned yet, and no known exploits are reported in the wild. The issue is technical and specific to network namespace and PFCP device lifecycle management in the Linux kernel networking subsystem.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments running Linux kernels with PFCP support and using network namespaces extensively, such as telecom operators, cloud providers, and enterprises deploying containerized or virtualized network functions. Exploitation could lead to kernel crashes causing denial of service (DoS) on critical network infrastructure, impacting availability of services. Since PFCP is used in 5G core network components, telecom operators in Europe could face service disruptions or outages if vulnerable systems are exploited. Although no remote code execution or privilege escalation is indicated, the kernel panic could be triggered by crafted netlink messages or namespace manipulations, potentially by malicious insiders or attackers with local access. The impact on confidentiality and integrity is limited, but availability impact can be significant for network-dependent services. Organizations relying on Linux-based network functions virtualization (NFV) or containerized network stacks should be particularly cautious. The lack of known exploits reduces immediate risk, but the complexity of the bug and kernel panic potential means patching is critical to prevent accidental or malicious DoS.
Mitigation Recommendations
1. Apply the official Linux kernel patches addressing CVE-2025-21677 as soon as they become available, ensuring the pfcp device lifecycle is correctly managed during netns teardown. 2. For environments using custom or backported kernels, backport the fix related to pfcp_newlink() and pfcp_net_exit() functions to ensure devices are linked to the correct netns and cleaned up properly. 3. Limit the creation and deletion of network namespaces and PFCP devices to trusted administrators to reduce risk of accidental or malicious triggering of the vulnerability. 4. Implement monitoring of kernel logs for netns cleanup errors or kernel panics related to PFCP devices to detect potential exploitation attempts or misconfigurations. 5. In telecom or NFV environments, validate network function configurations to avoid cross-namespace device linking that could trigger the bug. 6. Employ kernel hardening and isolation techniques such as seccomp filters or namespace restrictions to limit the ability of unprivileged users or containers to manipulate network namespaces or PFCP devices. 7. Regularly update Linux kernels to latest stable releases to benefit from ongoing security fixes and improvements in network namespace management.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.738Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe97c0
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 5:11:21 PM
Last updated: 8/14/2025, 5:29:06 AM
Views: 14
Related Threats
CVE-2025-8986: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-31987: CWE-405 Asymmetric Resource Consumption in HCL Software Connections Docs
MediumCVE-2025-8985: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8984: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8983: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.