CVE-2025-21678: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: gtp: Destroy device along with udp socket's netns dismantle. gtp_newlink() links the device to a list in dev_net(dev) instead of src_net, where a udp tunnel socket is created. Even when src_net is removed, the device stays alive on dev_net(dev). Then, removing src_net triggers the splat below. [0] In this example, gtp0 is created in ns2, and the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn ip netns del ns1 Let's link the device to the socket's netns instead. Now, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove all gtp devices in the netns. [0]: ref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1558) udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423) gtp_create_sockets (drivers/net/gtp.c:1447) gtp_newlink (drivers/net/gtp.c:1507) rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) netlink_rcv_skb (net/netlink/af_netlink.c:2542) netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) netlink_sendmsg (net/netlink/af_netlink.c:1891) ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) ___sys_sendmsg (net/socket.c:2639) __sys_sendmsg (net/socket.c:2669) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) WARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) Modules linked in: CPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 RSP: 0018:ff11000009a07b60 EFLAGS: 00010286 RAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c RBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae R10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0 R13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn (kernel/panic.c:748) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:285) ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) ? kfree (mm/slub.c:4613 mm/slub.c:4761) net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) cleanup_net (net/core/net_namespace.c:664 (discriminator 3)) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391 ---truncated---
AI Analysis
Technical Summary
CVE-2025-21678 is a vulnerability in the Linux kernel related to the handling of GPRS Tunneling Protocol (GTP) network devices and their associated UDP sockets within network namespaces (netns). The flaw arises because the gtp_newlink() function incorrectly links the GTP device to the network namespace of the device (dev_net(dev)) rather than the network namespace of the UDP socket (src_net) that the device depends on. This results in a situation where, if the network namespace containing the UDP socket (src_net) is removed, the GTP device remains alive in the device's network namespace (dev_net(dev)). When the src_net namespace is dismantled, this dangling device reference triggers a kernel crash (splat), as evidenced by the ref_tracker errors and kernel panic stack trace included in the vulnerability description. The issue is specifically triggered by creating a GTP device in one namespace and the UDP socket in another, then deleting the namespace containing the UDP socket. The root cause is a mismatch in the lifecycle management of the GTP device and its underlying UDP socket, leading to use-after-free or reference counting errors during network namespace teardown. The vulnerability can cause a denial of service (DoS) by crashing the kernel, impacting system availability. The problem has been addressed by changing the linkage of the GTP device to the socket's network namespace and adjusting the cleanup routine (gtp_net_exit_batch_rtnl) to properly remove all GTP devices during namespace exit. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions around 6.13.0-rc5 and likely other versions with similar GTP implementation. This issue is relevant for environments using GTP tunnels, commonly found in mobile network infrastructure and telecom-related Linux deployments.
Potential Impact
For European organizations, the impact of CVE-2025-21678 could be significant in sectors relying on Linux-based network infrastructure supporting mobile telecommunications, such as telecom operators, mobile virtual network operators (MVNOs), and enterprises using private LTE/5G networks. The vulnerability can lead to kernel crashes and system downtime, resulting in denial of service conditions that disrupt network connectivity and services. This could affect critical communication infrastructure, impacting business operations, customer service, and regulatory compliance. Additionally, organizations running containerized or virtualized environments that use network namespaces extensively may experience instability or outages if GTP tunnels are employed. Although no remote code execution or privilege escalation is indicated, the availability impact alone can be severe in high-availability telecom or industrial control systems. The lack of known exploits reduces immediate risk, but the complexity of the issue means that targeted attacks or accidental misconfigurations could trigger the vulnerability. European telecom providers and enterprises with advanced networking setups should prioritize patching to maintain service continuity and avoid operational disruptions.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the GTP device linkage and cleanup logic as soon as they become available from trusted sources or Linux distributions. 2. Monitor kernel updates from your Linux vendor and test patches in staging environments before production deployment to ensure stability. 3. Limit the use of GTP tunnels in network namespaces where possible, or avoid cross-namespace GTP device and UDP socket configurations that trigger the vulnerability. 4. Implement strict network namespace lifecycle management and cleanup procedures to prevent dangling device references. 5. Use kernel crash monitoring and alerting tools to detect early signs of instability related to network namespace teardown. 6. For telecom operators, coordinate with equipment vendors to ensure their Linux-based network elements are updated. 7. Consider network segmentation and redundancy to minimize the impact of potential kernel crashes on critical services. 8. Document and train system administrators on the risks of improper network namespace and GTP device handling to avoid accidental triggering of the flaw.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Finland, Poland, Belgium
CVE-2025-21678: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: gtp: Destroy device along with udp socket's netns dismantle. gtp_newlink() links the device to a list in dev_net(dev) instead of src_net, where a udp tunnel socket is created. Even when src_net is removed, the device stays alive on dev_net(dev). Then, removing src_net triggers the splat below. [0] In this example, gtp0 is created in ns2, and the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn ip netns del ns1 Let's link the device to the socket's netns instead. Now, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove all gtp devices in the netns. [0]: ref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1558) udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423) gtp_create_sockets (drivers/net/gtp.c:1447) gtp_newlink (drivers/net/gtp.c:1507) rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) netlink_rcv_skb (net/netlink/af_netlink.c:2542) netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) netlink_sendmsg (net/netlink/af_netlink.c:1891) ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) ___sys_sendmsg (net/socket.c:2639) __sys_sendmsg (net/socket.c:2669) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) WARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) Modules linked in: CPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 RSP: 0018:ff11000009a07b60 EFLAGS: 00010286 RAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c RBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae R10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0 R13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn (kernel/panic.c:748) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:285) ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) ? kfree (mm/slub.c:4613 mm/slub.c:4761) net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) cleanup_net (net/core/net_namespace.c:664 (discriminator 3)) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21678 is a vulnerability in the Linux kernel related to the handling of GPRS Tunneling Protocol (GTP) network devices and their associated UDP sockets within network namespaces (netns). The flaw arises because the gtp_newlink() function incorrectly links the GTP device to the network namespace of the device (dev_net(dev)) rather than the network namespace of the UDP socket (src_net) that the device depends on. This results in a situation where, if the network namespace containing the UDP socket (src_net) is removed, the GTP device remains alive in the device's network namespace (dev_net(dev)). When the src_net namespace is dismantled, this dangling device reference triggers a kernel crash (splat), as evidenced by the ref_tracker errors and kernel panic stack trace included in the vulnerability description. The issue is specifically triggered by creating a GTP device in one namespace and the UDP socket in another, then deleting the namespace containing the UDP socket. The root cause is a mismatch in the lifecycle management of the GTP device and its underlying UDP socket, leading to use-after-free or reference counting errors during network namespace teardown. The vulnerability can cause a denial of service (DoS) by crashing the kernel, impacting system availability. The problem has been addressed by changing the linkage of the GTP device to the socket's network namespace and adjusting the cleanup routine (gtp_net_exit_batch_rtnl) to properly remove all GTP devices during namespace exit. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions around 6.13.0-rc5 and likely other versions with similar GTP implementation. This issue is relevant for environments using GTP tunnels, commonly found in mobile network infrastructure and telecom-related Linux deployments.
Potential Impact
For European organizations, the impact of CVE-2025-21678 could be significant in sectors relying on Linux-based network infrastructure supporting mobile telecommunications, such as telecom operators, mobile virtual network operators (MVNOs), and enterprises using private LTE/5G networks. The vulnerability can lead to kernel crashes and system downtime, resulting in denial of service conditions that disrupt network connectivity and services. This could affect critical communication infrastructure, impacting business operations, customer service, and regulatory compliance. Additionally, organizations running containerized or virtualized environments that use network namespaces extensively may experience instability or outages if GTP tunnels are employed. Although no remote code execution or privilege escalation is indicated, the availability impact alone can be severe in high-availability telecom or industrial control systems. The lack of known exploits reduces immediate risk, but the complexity of the issue means that targeted attacks or accidental misconfigurations could trigger the vulnerability. European telecom providers and enterprises with advanced networking setups should prioritize patching to maintain service continuity and avoid operational disruptions.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the GTP device linkage and cleanup logic as soon as they become available from trusted sources or Linux distributions. 2. Monitor kernel updates from your Linux vendor and test patches in staging environments before production deployment to ensure stability. 3. Limit the use of GTP tunnels in network namespaces where possible, or avoid cross-namespace GTP device and UDP socket configurations that trigger the vulnerability. 4. Implement strict network namespace lifecycle management and cleanup procedures to prevent dangling device references. 5. Use kernel crash monitoring and alerting tools to detect early signs of instability related to network namespace teardown. 6. For telecom operators, coordinate with equipment vendors to ensure their Linux-based network elements are updated. 7. Consider network segmentation and redundancy to minimize the impact of potential kernel crashes on critical services. 8. Document and train system administrators on the risks of improper network namespace and GTP device handling to avoid accidental triggering of the flaw.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.738Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe97cd
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 5:11:46 PM
Last updated: 8/13/2025, 7:13:41 PM
Views: 13
Related Threats
CVE-2025-8938: Backdoor in TOTOLINK N350R
MediumCVE-2025-8937: Command Injection in TOTOLINK N350R
MediumCVE-2025-8936: SQL Injection in 1000 Projects Sales Management System
MediumCVE-2025-5942: CWE-122 Heap-based Buffer Overflow in Netskope Netskope Client
MediumCVE-2025-5941: CWE-125 Out-of-Bounds Read in Netskope Netskope Client
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.