CVE-2025-21692: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 18.856532] Call Trace: [ 18.857441] <TASK> [ 18.858227] dump_stack_lvl+0xc2/0xf0 [ 18.859607] dump_stack+0x10/0x20 [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 [ 18.864022] ets_class_change+0x3d6/0x3f0 [ 18.864322] tc_ctl_tclass+0x251/0x910 [ 18.864587] ? lock_acquire+0x5e/0x140 [ 18.865113] ? __mutex_lock+0x9c/0xe70 [ 18.866009] ? __mutex_lock+0xa34/0xe70 [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 [ 18.866806] ? __lock_acquire+0x578/0xc10 [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 18.867503] netlink_rcv_skb+0x59/0x110 [ 18.867776] rtnetlink_rcv+0x15/0x30 [ 18.868159] netlink_unicast+0x1c3/0x2b0 [ 18.868440] netlink_sendmsg+0x239/0x4b0 [ 18.868721] ____sys_sendmsg+0x3e2/0x410 [ 18.869012] ___sys_sendmsg+0x88/0xe0 [ 18.869276] ? rseq_ip_fixup+0x198/0x260 [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 [ 18.870547] ? do_syscall_64+0x93/0x150 [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 [ 18.871157] __sys_sendmsg+0x69/0xd0 [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 [ 18.871699] x64_sys_call+0x9e2/0x2670 [ 18.871979] do_syscall_64+0x87/0x150 [ 18.873280] ? do_syscall_64+0x93/0x150 [ 18.874742] ? lock_release+0x7b/0x160 [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 [ 18.879608] ? irqentry_exit+0x77/0xb0 [ 18.879808] ? clear_bhb_loop+0x15/0x70 [ 18.880023] ? clear_bhb_loop+0x15/0x70 [ 18.880223] ? clear_bhb_loop+0x15/0x70 [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 18.880683] RIP: 0033:0x44a957 [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 [ 18.888395] </TASK> [ 18.888610] ---[ end trace ]---
AI Analysis
Technical Summary
CVE-2025-21692 is a vulnerability identified in the Linux kernel's network scheduling subsystem, specifically within the ETS (Earliest TxTime Scheduler) queuing discipline implementation. The flaw arises from an out-of-bounds (OOB) indexing issue in the function ets_class_from_arg(), which is responsible for mapping a class identifier (clid) to an internal class array. When the function receives a clid value of 0, it can incorrectly index an array beyond its valid bounds, leading to undefined behavior. This improper indexing triggers an out-of-bounds access, as confirmed by the kernel's Undefined Behavior Sanitizer (UBSAN) logs, which report an array index of 18446744073709551615 (equivalent to -1 in unsigned representation) being accessed in an array of size 16. The vulnerability manifests as a local privilege escalation (LPE) risk, where a local attacker with the ability to invoke network scheduling commands can exploit this flaw to gain elevated privileges on the affected system. The kernel call trace indicates that the flaw is triggered during netlink message handling related to traffic control (tc) commands, specifically within the tc_ctl_tclass and ets_class_change functions. The vulnerability affects Linux kernel versions around 6.12.6 and possibly others sharing the same code base. Although no known exploits are currently reported in the wild, the nature of the flaw and its local exploitability make it a significant security concern. The vulnerability was responsibly disclosed by researcher Haowei Yan and has been addressed in subsequent kernel updates. No CVSS score has been assigned yet, but the technical details and impact suggest a high-severity issue.
Potential Impact
For European organizations, the impact of CVE-2025-21692 can be substantial, especially for those relying heavily on Linux-based infrastructure, including servers, network appliances, and cloud environments. The vulnerability enables local attackers to escalate privileges, potentially gaining root access, which can lead to full system compromise. This can result in unauthorized data access, disruption of critical services, and the ability to deploy persistent malware or ransomware. Given the widespread use of Linux in European governmental agencies, financial institutions, telecommunications providers, and critical infrastructure sectors, exploitation could undermine operational integrity and data confidentiality. Additionally, organizations using Linux in virtualized or containerized environments may face increased risk if attackers can leverage this vulnerability to escape restricted environments. The lack of known exploits in the wild currently provides a window for mitigation, but the vulnerability's presence in the kernel's networking stack—a commonly targeted attack surface—means that motivated attackers could develop exploits rapidly. The potential for lateral movement within networks following privilege escalation further amplifies the threat to European enterprises.
Mitigation Recommendations
To mitigate CVE-2025-21692 effectively, European organizations should: 1) Prioritize patching by applying the latest Linux kernel updates that address this vulnerability as soon as they become available. 2) Implement strict access controls to limit local user privileges, ensuring that only trusted users have the ability to execute network scheduling commands or interact with the traffic control subsystem. 3) Employ kernel hardening techniques such as SELinux or AppArmor policies to restrict the capabilities of processes interacting with the network stack. 4) Monitor system logs and kernel messages for unusual netlink or traffic control activity that could indicate exploitation attempts. 5) In environments where immediate patching is not feasible, consider disabling or restricting the use of the ETS queuing discipline or related traffic control features if they are not essential. 6) Conduct regular security audits and vulnerability assessments focusing on kernel-level security to detect and remediate similar issues proactively. 7) Educate system administrators about the risks of local privilege escalation vulnerabilities and the importance of timely updates and least privilege principles.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2025-21692: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 18.856532] Call Trace: [ 18.857441] <TASK> [ 18.858227] dump_stack_lvl+0xc2/0xf0 [ 18.859607] dump_stack+0x10/0x20 [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 [ 18.864022] ets_class_change+0x3d6/0x3f0 [ 18.864322] tc_ctl_tclass+0x251/0x910 [ 18.864587] ? lock_acquire+0x5e/0x140 [ 18.865113] ? __mutex_lock+0x9c/0xe70 [ 18.866009] ? __mutex_lock+0xa34/0xe70 [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 [ 18.866806] ? __lock_acquire+0x578/0xc10 [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 18.867503] netlink_rcv_skb+0x59/0x110 [ 18.867776] rtnetlink_rcv+0x15/0x30 [ 18.868159] netlink_unicast+0x1c3/0x2b0 [ 18.868440] netlink_sendmsg+0x239/0x4b0 [ 18.868721] ____sys_sendmsg+0x3e2/0x410 [ 18.869012] ___sys_sendmsg+0x88/0xe0 [ 18.869276] ? rseq_ip_fixup+0x198/0x260 [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 [ 18.870547] ? do_syscall_64+0x93/0x150 [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 [ 18.871157] __sys_sendmsg+0x69/0xd0 [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 [ 18.871699] x64_sys_call+0x9e2/0x2670 [ 18.871979] do_syscall_64+0x87/0x150 [ 18.873280] ? do_syscall_64+0x93/0x150 [ 18.874742] ? lock_release+0x7b/0x160 [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 [ 18.879608] ? irqentry_exit+0x77/0xb0 [ 18.879808] ? clear_bhb_loop+0x15/0x70 [ 18.880023] ? clear_bhb_loop+0x15/0x70 [ 18.880223] ? clear_bhb_loop+0x15/0x70 [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 18.880683] RIP: 0033:0x44a957 [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 [ 18.888395] </TASK> [ 18.888610] ---[ end trace ]---
AI-Powered Analysis
Technical Analysis
CVE-2025-21692 is a vulnerability identified in the Linux kernel's network scheduling subsystem, specifically within the ETS (Earliest TxTime Scheduler) queuing discipline implementation. The flaw arises from an out-of-bounds (OOB) indexing issue in the function ets_class_from_arg(), which is responsible for mapping a class identifier (clid) to an internal class array. When the function receives a clid value of 0, it can incorrectly index an array beyond its valid bounds, leading to undefined behavior. This improper indexing triggers an out-of-bounds access, as confirmed by the kernel's Undefined Behavior Sanitizer (UBSAN) logs, which report an array index of 18446744073709551615 (equivalent to -1 in unsigned representation) being accessed in an array of size 16. The vulnerability manifests as a local privilege escalation (LPE) risk, where a local attacker with the ability to invoke network scheduling commands can exploit this flaw to gain elevated privileges on the affected system. The kernel call trace indicates that the flaw is triggered during netlink message handling related to traffic control (tc) commands, specifically within the tc_ctl_tclass and ets_class_change functions. The vulnerability affects Linux kernel versions around 6.12.6 and possibly others sharing the same code base. Although no known exploits are currently reported in the wild, the nature of the flaw and its local exploitability make it a significant security concern. The vulnerability was responsibly disclosed by researcher Haowei Yan and has been addressed in subsequent kernel updates. No CVSS score has been assigned yet, but the technical details and impact suggest a high-severity issue.
Potential Impact
For European organizations, the impact of CVE-2025-21692 can be substantial, especially for those relying heavily on Linux-based infrastructure, including servers, network appliances, and cloud environments. The vulnerability enables local attackers to escalate privileges, potentially gaining root access, which can lead to full system compromise. This can result in unauthorized data access, disruption of critical services, and the ability to deploy persistent malware or ransomware. Given the widespread use of Linux in European governmental agencies, financial institutions, telecommunications providers, and critical infrastructure sectors, exploitation could undermine operational integrity and data confidentiality. Additionally, organizations using Linux in virtualized or containerized environments may face increased risk if attackers can leverage this vulnerability to escape restricted environments. The lack of known exploits in the wild currently provides a window for mitigation, but the vulnerability's presence in the kernel's networking stack—a commonly targeted attack surface—means that motivated attackers could develop exploits rapidly. The potential for lateral movement within networks following privilege escalation further amplifies the threat to European enterprises.
Mitigation Recommendations
To mitigate CVE-2025-21692 effectively, European organizations should: 1) Prioritize patching by applying the latest Linux kernel updates that address this vulnerability as soon as they become available. 2) Implement strict access controls to limit local user privileges, ensuring that only trusted users have the ability to execute network scheduling commands or interact with the traffic control subsystem. 3) Employ kernel hardening techniques such as SELinux or AppArmor policies to restrict the capabilities of processes interacting with the network stack. 4) Monitor system logs and kernel messages for unusual netlink or traffic control activity that could indicate exploitation attempts. 5) In environments where immediate patching is not feasible, consider disabling or restricting the use of the ETS queuing discipline or related traffic control features if they are not essential. 6) Conduct regular security audits and vulnerability assessments focusing on kernel-level security to detect and remediate similar issues proactively. 7) Educate system administrators about the risks of local privilege escalation vulnerabilities and the importance of timely updates and least privilege principles.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.742Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe982a
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 5:40:41 PM
Last updated: 8/15/2025, 8:14:44 AM
Views: 10
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.