CVE-2025-21710: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tcp: correct handling of extreme memory squeeze Testing with iperf3 using the "pasta" protocol splicer has revealed a problem in the way tcp handles window advertising in extreme memory squeeze situations. Under memory pressure, a socket endpoint may temporarily advertise a zero-sized window, but this is not stored as part of the socket data. The reasoning behind this is that it is considered a temporary setting which shouldn't influence any further calculations. However, if we happen to stall at an unfortunate value of the current window size, the algorithm selecting a new value will consistently fail to advertise a non-zero window once we have freed up enough memory. This means that this side's notion of the current window size is different from the one last advertised to the peer, causing the latter to not send any data to resolve the sitution. The problem occurs on the iperf3 server side, and the socket in question is a completely regular socket with the default settings for the fedora40 kernel. We do not use SO_PEEK or SO_RCVBUF on the socket. The following excerpt of a logging session, with own comments added, shows more in detail what is happening: // tcp_v4_rcv(->) // tcp_rcv_established(->) [5201<->39222]: ==== Activating log @ net/ipv4/tcp_input.c/tcp_data_queue()/5257 ==== [5201<->39222]: tcp_data_queue(->) [5201<->39222]: DROPPING skb [265600160..265665640], reason: SKB_DROP_REASON_PROTO_MEM [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184] [copied_seq 259909392->260034360 (124968), unread 5565800, qlen 85, ofoq 0] [OFO queue: gap: 65480, len: 0] [5201<->39222]: tcp_data_queue(<-) [5201<->39222]: __tcp_transmit_skb(->) [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] [5201<->39222]: tcp_select_window(->) [5201<->39222]: (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_NOMEM) ? --> TRUE [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] returning 0 [5201<->39222]: tcp_select_window(<-) [5201<->39222]: ADVERTISING WIN 0, ACK_SEQ: 265600160 [5201<->39222]: [__tcp_transmit_skb(<-) [5201<->39222]: tcp_rcv_established(<-) [5201<->39222]: tcp_v4_rcv(<-) // Receive queue is at 85 buffers and we are out of memory. // We drop the incoming buffer, although it is in sequence, and decide // to send an advertisement with a window of zero. // We don't update tp->rcv_wnd and tp->rcv_wup accordingly, which means // we unconditionally shrink the window. [5201<->39222]: tcp_recvmsg_locked(->) [5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160 [5201<->39222]: [new_win = 0, win_now = 131184, 2 * win_now = 262368] [5201<->39222]: [new_win >= (2 * win_now) ? --> time_to_ack = 0] [5201<->39222]: NOT calling tcp_send_ack() [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] [5201<->39222]: __tcp_cleanup_rbuf(<-) [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184] [copied_seq 260040464->260040464 (0), unread 5559696, qlen 85, ofoq 0] returning 6104 bytes [5201<->39222]: tcp_recvmsg_locked(<-) // After each read, the algorithm for calculating the new receive // window in __tcp_cleanup_rbuf() finds it is too small to advertise // or to update tp->rcv_wnd. // Meanwhile, the peer thinks the window is zero, and will not send // any more data to trigger an update from the interrupt mode side. [5201<->39222]: tcp_recvmsg_locked(->) [5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160 [5201<->39222]: [new_win = 262144, win_now = 131184, 2 * win_n ---truncated---
AI Analysis
Technical Summary
CVE-2025-21710 is a vulnerability identified in the Linux kernel's TCP implementation related to the handling of TCP window advertisement under conditions of extreme memory pressure. The issue arises when the system experiences memory squeeze, causing the TCP socket endpoint to temporarily advertise a zero-sized receive window to its peer. This zero window advertisement is intended as a transient state and is not stored as part of the socket's persistent data. However, due to a flaw in the window size management algorithm, once memory pressure is relieved, the TCP stack fails to update the advertised window size back to a non-zero value. This results in a mismatch between the local socket's notion of the receive window and what the peer believes it to be. Consequently, the peer continues to perceive the receive window as zero and refrains from sending further data, effectively stalling the TCP connection. The vulnerability manifests on the server side, specifically observed during testing with iperf3 using the "pasta" protocol splicer on Fedora 40 kernels. The kernel drops incoming TCP segments due to memory exhaustion, advertises a zero window without updating internal window tracking variables, and subsequently fails to send acknowledgments or window updates that would prompt the peer to resume data transmission. This leads to a deadlock where the connection is stalled indefinitely until external intervention or connection reset. Technically, the root cause is the failure to update the tp->rcv_wnd and tp->rcv_wup variables after advertising a zero window under memory pressure, causing the TCP window scaling and flow control algorithms to stall. The problem is exacerbated by the receive queue filling up and the kernel dropping packets with SKB_DROP_REASON_PROTO_MEM. The detailed kernel logs show the TCP stack dropping packets, advertising zero windows, and not triggering acknowledgments or window updates to recover from the zero window state. This vulnerability affects Linux kernels incorporating the flawed TCP window management code, including Fedora 40 and potentially other distributions using the same kernel version or patches. No known exploits are currently reported in the wild, but the issue can cause denial of service by stalling TCP connections under specific memory pressure conditions.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running vulnerable Linux kernels, especially those handling high volumes of TCP traffic under memory pressure. The impact is a potential denial of service (DoS) condition where TCP connections stall indefinitely, disrupting critical services such as web servers, application servers, and network appliances. This can degrade service availability, impact business continuity, and cause operational disruptions. Industries relying heavily on Linux-based infrastructure, including telecommunications, finance, cloud service providers, and public sector entities, may experience degraded network performance or outages during peak load or memory-constrained scenarios. The vulnerability does not directly lead to data breaches or privilege escalation but can be exploited to cause service interruptions, which in turn could be leveraged as part of a broader attack strategy. Given the reliance on Linux in European data centers and cloud environments, the vulnerability could affect internal and customer-facing services. The lack of user interaction or authentication requirements means that an attacker or even a benign memory pressure condition could trigger the issue, increasing the risk of unintentional or deliberate service disruption.
Mitigation Recommendations
To mitigate this vulnerability, organizations should prioritize updating their Linux kernels to versions where this TCP window management flaw is patched. Since no patch links are provided, monitoring official Linux kernel repositories and distribution security advisories (e.g., Fedora, Debian, Ubuntu) for updates addressing CVE-2025-21710 is critical. In the interim, administrators can implement the following specific measures: 1. Monitor system memory usage and TCP socket queues closely to detect early signs of memory pressure and TCP stalls. 2. Tune kernel TCP parameters to reduce the likelihood of receive buffer exhaustion, such as increasing net.core.rmem_max and net.ipv4.tcp_rmem values to allow larger receive buffers. 3. Employ system-level memory management improvements to prevent extreme memory squeeze situations, including cgroup memory limits and proactive resource allocation. 4. Use network traffic shaping or load balancing to distribute TCP connections and reduce per-socket memory pressure. 5. Implement application-level timeouts and TCP keepalive settings to detect and recover stalled connections promptly. 6. Consider deploying kernel live patching solutions if available to apply fixes without downtime. These targeted mitigations go beyond generic advice by focusing on memory pressure management and TCP receive window tuning to reduce the vulnerability's triggering conditions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Finland
CVE-2025-21710: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tcp: correct handling of extreme memory squeeze Testing with iperf3 using the "pasta" protocol splicer has revealed a problem in the way tcp handles window advertising in extreme memory squeeze situations. Under memory pressure, a socket endpoint may temporarily advertise a zero-sized window, but this is not stored as part of the socket data. The reasoning behind this is that it is considered a temporary setting which shouldn't influence any further calculations. However, if we happen to stall at an unfortunate value of the current window size, the algorithm selecting a new value will consistently fail to advertise a non-zero window once we have freed up enough memory. This means that this side's notion of the current window size is different from the one last advertised to the peer, causing the latter to not send any data to resolve the sitution. The problem occurs on the iperf3 server side, and the socket in question is a completely regular socket with the default settings for the fedora40 kernel. We do not use SO_PEEK or SO_RCVBUF on the socket. The following excerpt of a logging session, with own comments added, shows more in detail what is happening: // tcp_v4_rcv(->) // tcp_rcv_established(->) [5201<->39222]: ==== Activating log @ net/ipv4/tcp_input.c/tcp_data_queue()/5257 ==== [5201<->39222]: tcp_data_queue(->) [5201<->39222]: DROPPING skb [265600160..265665640], reason: SKB_DROP_REASON_PROTO_MEM [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184] [copied_seq 259909392->260034360 (124968), unread 5565800, qlen 85, ofoq 0] [OFO queue: gap: 65480, len: 0] [5201<->39222]: tcp_data_queue(<-) [5201<->39222]: __tcp_transmit_skb(->) [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] [5201<->39222]: tcp_select_window(->) [5201<->39222]: (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_NOMEM) ? --> TRUE [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] returning 0 [5201<->39222]: tcp_select_window(<-) [5201<->39222]: ADVERTISING WIN 0, ACK_SEQ: 265600160 [5201<->39222]: [__tcp_transmit_skb(<-) [5201<->39222]: tcp_rcv_established(<-) [5201<->39222]: tcp_v4_rcv(<-) // Receive queue is at 85 buffers and we are out of memory. // We drop the incoming buffer, although it is in sequence, and decide // to send an advertisement with a window of zero. // We don't update tp->rcv_wnd and tp->rcv_wup accordingly, which means // we unconditionally shrink the window. [5201<->39222]: tcp_recvmsg_locked(->) [5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160 [5201<->39222]: [new_win = 0, win_now = 131184, 2 * win_now = 262368] [5201<->39222]: [new_win >= (2 * win_now) ? --> time_to_ack = 0] [5201<->39222]: NOT calling tcp_send_ack() [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] [5201<->39222]: __tcp_cleanup_rbuf(<-) [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184] [copied_seq 260040464->260040464 (0), unread 5559696, qlen 85, ofoq 0] returning 6104 bytes [5201<->39222]: tcp_recvmsg_locked(<-) // After each read, the algorithm for calculating the new receive // window in __tcp_cleanup_rbuf() finds it is too small to advertise // or to update tp->rcv_wnd. // Meanwhile, the peer thinks the window is zero, and will not send // any more data to trigger an update from the interrupt mode side. [5201<->39222]: tcp_recvmsg_locked(->) [5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160 [5201<->39222]: [new_win = 262144, win_now = 131184, 2 * win_n ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21710 is a vulnerability identified in the Linux kernel's TCP implementation related to the handling of TCP window advertisement under conditions of extreme memory pressure. The issue arises when the system experiences memory squeeze, causing the TCP socket endpoint to temporarily advertise a zero-sized receive window to its peer. This zero window advertisement is intended as a transient state and is not stored as part of the socket's persistent data. However, due to a flaw in the window size management algorithm, once memory pressure is relieved, the TCP stack fails to update the advertised window size back to a non-zero value. This results in a mismatch between the local socket's notion of the receive window and what the peer believes it to be. Consequently, the peer continues to perceive the receive window as zero and refrains from sending further data, effectively stalling the TCP connection. The vulnerability manifests on the server side, specifically observed during testing with iperf3 using the "pasta" protocol splicer on Fedora 40 kernels. The kernel drops incoming TCP segments due to memory exhaustion, advertises a zero window without updating internal window tracking variables, and subsequently fails to send acknowledgments or window updates that would prompt the peer to resume data transmission. This leads to a deadlock where the connection is stalled indefinitely until external intervention or connection reset. Technically, the root cause is the failure to update the tp->rcv_wnd and tp->rcv_wup variables after advertising a zero window under memory pressure, causing the TCP window scaling and flow control algorithms to stall. The problem is exacerbated by the receive queue filling up and the kernel dropping packets with SKB_DROP_REASON_PROTO_MEM. The detailed kernel logs show the TCP stack dropping packets, advertising zero windows, and not triggering acknowledgments or window updates to recover from the zero window state. This vulnerability affects Linux kernels incorporating the flawed TCP window management code, including Fedora 40 and potentially other distributions using the same kernel version or patches. No known exploits are currently reported in the wild, but the issue can cause denial of service by stalling TCP connections under specific memory pressure conditions.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running vulnerable Linux kernels, especially those handling high volumes of TCP traffic under memory pressure. The impact is a potential denial of service (DoS) condition where TCP connections stall indefinitely, disrupting critical services such as web servers, application servers, and network appliances. This can degrade service availability, impact business continuity, and cause operational disruptions. Industries relying heavily on Linux-based infrastructure, including telecommunications, finance, cloud service providers, and public sector entities, may experience degraded network performance or outages during peak load or memory-constrained scenarios. The vulnerability does not directly lead to data breaches or privilege escalation but can be exploited to cause service interruptions, which in turn could be leveraged as part of a broader attack strategy. Given the reliance on Linux in European data centers and cloud environments, the vulnerability could affect internal and customer-facing services. The lack of user interaction or authentication requirements means that an attacker or even a benign memory pressure condition could trigger the issue, increasing the risk of unintentional or deliberate service disruption.
Mitigation Recommendations
To mitigate this vulnerability, organizations should prioritize updating their Linux kernels to versions where this TCP window management flaw is patched. Since no patch links are provided, monitoring official Linux kernel repositories and distribution security advisories (e.g., Fedora, Debian, Ubuntu) for updates addressing CVE-2025-21710 is critical. In the interim, administrators can implement the following specific measures: 1. Monitor system memory usage and TCP socket queues closely to detect early signs of memory pressure and TCP stalls. 2. Tune kernel TCP parameters to reduce the likelihood of receive buffer exhaustion, such as increasing net.core.rmem_max and net.ipv4.tcp_rmem values to allow larger receive buffers. 3. Employ system-level memory management improvements to prevent extreme memory squeeze situations, including cgroup memory limits and proactive resource allocation. 4. Use network traffic shaping or load balancing to distribute TCP connections and reduce per-socket memory pressure. 5. Implement application-level timeouts and TCP keepalive settings to detect and recover stalled connections promptly. 6. Consider deploying kernel live patching solutions if available to apply fixes without downtime. These targeted mitigations go beyond generic advice by focusing on memory pressure management and TCP receive window tuning to reduce the vulnerability's triggering conditions.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.752Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8554
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 8:25:36 AM
Last updated: 8/10/2025, 11:11:08 AM
Views: 20
Related Threats
CVE-2025-9020: Use After Free in PX4 PX4-Autopilot
LowCVE-2025-8604: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wptb WP Table Builder – WordPress Table Plugin
MediumCVE-2025-9016: Uncontrolled Search Path in Mechrevo Control Center GX V2
HighCVE-2025-8451: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdevteam Essential Addons for Elementor – Popular Elementor Templates & Widgets
MediumCVE-2025-8013: CWE-918 Server-Side Request Forgery (SSRF) in quttera Quttera Web Malware Scanner
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.