CVE-2025-21718: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: rose: fix timer races against user threads Rose timers only acquire the socket spinlock, without checking if the socket is owned by one user thread. Add a check and rearm the timers if needed. BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 Read of size 2 at addr ffff88802f09b82a by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 call_timer_fn+0x187/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430 run_timer_base kernel/time/timer.c:2439 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 </IRQ>
AI Analysis
Technical Summary
CVE-2025-21718 is a vulnerability identified in the Linux kernel, specifically within the 'rose' networking protocol implementation. The flaw arises from improper handling of timer races against user threads. The root cause is that Rose timers acquire only the socket spinlock but fail to verify if the socket is currently owned by a user thread. This oversight can lead to a use-after-free condition, as demonstrated by the kernel address sanitizer (KASAN) report indicating a slab-use-after-free in the rose_timer_expiry function. The vulnerability manifests when timers expire and attempt to access socket data that may have been freed or modified concurrently by user threads, resulting in potential kernel memory corruption. The provided kernel stack trace shows the issue occurs during timer expiry processing, which is a critical kernel operation. Although no known exploits are currently reported in the wild, the nature of the vulnerability suggests it could be leveraged to cause kernel crashes (denial of service) or potentially escalate privileges by corrupting kernel memory. This vulnerability affects Linux kernel versions prior to the patch that adds checks to rearm timers appropriately and ensures safe access to socket data. The affected versions are identified by specific commit hashes, indicating the issue is present in recent kernel development branches before the fix. The vulnerability does not have an assigned CVSS score yet, but its impact on kernel stability and security is significant. The rose protocol is a less commonly used networking protocol, but the kernel timer subsystem is fundamental, so the flaw could have broader implications if triggered.
Potential Impact
For European organizations, the impact of CVE-2025-21718 depends largely on their use of Linux systems running vulnerable kernel versions and whether the rose protocol or related networking features are enabled. Organizations relying on Linux servers, especially those in cloud infrastructure, telecommunications, or embedded systems, could face risks of system instability or denial of service due to kernel crashes. In worst-case scenarios, attackers might exploit the use-after-free to execute arbitrary code with kernel privileges, leading to full system compromise. This is particularly concerning for critical infrastructure providers, financial institutions, and government agencies in Europe that depend on Linux for their operations. The vulnerability could disrupt services, cause data loss, or enable lateral movement within networks. Although the rose protocol is niche, the underlying issue with timer handling and concurrency could indicate similar risks in related kernel components. Therefore, European organizations should assess their exposure carefully, especially those using custom or development kernel builds or specialized networking stacks. The absence of known exploits reduces immediate threat but does not eliminate the risk of future weaponization.
Mitigation Recommendations
Mitigation requires applying the official Linux kernel patches that address this vulnerability by adding proper checks to the rose timers and ensuring safe synchronization with user threads. Organizations should: 1) Identify all Linux systems running kernel versions prior to the patch commit referenced by the CVE and verify if the rose protocol or related networking features are enabled. 2) Update to the latest stable Linux kernel releases that include the fix for CVE-2025-21718. 3) For systems where immediate patching is not feasible, consider disabling the rose protocol module if it is not required, to reduce attack surface. 4) Implement kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and other runtime protections to detect similar memory corruption issues early. 5) Monitor system logs and kernel crash reports for signs of exploitation attempts or instability related to timer operations. 6) Engage with Linux distribution vendors for backported patches if using long-term support kernels. 7) Conduct thorough testing of kernel updates in staging environments to prevent regressions. These steps go beyond generic advice by focusing on the specific protocol and kernel subsystem involved and emphasizing proactive detection and controlled deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy
CVE-2025-21718: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: rose: fix timer races against user threads Rose timers only acquire the socket spinlock, without checking if the socket is owned by one user thread. Add a check and rearm the timers if needed. BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 Read of size 2 at addr ffff88802f09b82a by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 call_timer_fn+0x187/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430 run_timer_base kernel/time/timer.c:2439 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 </IRQ>
AI-Powered Analysis
Technical Analysis
CVE-2025-21718 is a vulnerability identified in the Linux kernel, specifically within the 'rose' networking protocol implementation. The flaw arises from improper handling of timer races against user threads. The root cause is that Rose timers acquire only the socket spinlock but fail to verify if the socket is currently owned by a user thread. This oversight can lead to a use-after-free condition, as demonstrated by the kernel address sanitizer (KASAN) report indicating a slab-use-after-free in the rose_timer_expiry function. The vulnerability manifests when timers expire and attempt to access socket data that may have been freed or modified concurrently by user threads, resulting in potential kernel memory corruption. The provided kernel stack trace shows the issue occurs during timer expiry processing, which is a critical kernel operation. Although no known exploits are currently reported in the wild, the nature of the vulnerability suggests it could be leveraged to cause kernel crashes (denial of service) or potentially escalate privileges by corrupting kernel memory. This vulnerability affects Linux kernel versions prior to the patch that adds checks to rearm timers appropriately and ensures safe access to socket data. The affected versions are identified by specific commit hashes, indicating the issue is present in recent kernel development branches before the fix. The vulnerability does not have an assigned CVSS score yet, but its impact on kernel stability and security is significant. The rose protocol is a less commonly used networking protocol, but the kernel timer subsystem is fundamental, so the flaw could have broader implications if triggered.
Potential Impact
For European organizations, the impact of CVE-2025-21718 depends largely on their use of Linux systems running vulnerable kernel versions and whether the rose protocol or related networking features are enabled. Organizations relying on Linux servers, especially those in cloud infrastructure, telecommunications, or embedded systems, could face risks of system instability or denial of service due to kernel crashes. In worst-case scenarios, attackers might exploit the use-after-free to execute arbitrary code with kernel privileges, leading to full system compromise. This is particularly concerning for critical infrastructure providers, financial institutions, and government agencies in Europe that depend on Linux for their operations. The vulnerability could disrupt services, cause data loss, or enable lateral movement within networks. Although the rose protocol is niche, the underlying issue with timer handling and concurrency could indicate similar risks in related kernel components. Therefore, European organizations should assess their exposure carefully, especially those using custom or development kernel builds or specialized networking stacks. The absence of known exploits reduces immediate threat but does not eliminate the risk of future weaponization.
Mitigation Recommendations
Mitigation requires applying the official Linux kernel patches that address this vulnerability by adding proper checks to the rose timers and ensuring safe synchronization with user threads. Organizations should: 1) Identify all Linux systems running kernel versions prior to the patch commit referenced by the CVE and verify if the rose protocol or related networking features are enabled. 2) Update to the latest stable Linux kernel releases that include the fix for CVE-2025-21718. 3) For systems where immediate patching is not feasible, consider disabling the rose protocol module if it is not required, to reduce attack surface. 4) Implement kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and other runtime protections to detect similar memory corruption issues early. 5) Monitor system logs and kernel crash reports for signs of exploitation attempts or instability related to timer operations. 6) Engage with Linux distribution vendors for backported patches if using long-term support kernels. 7) Conduct thorough testing of kernel updates in staging environments to prevent regressions. These steps go beyond generic advice by focusing on the specific protocol and kernel subsystem involved and emphasizing proactive detection and controlled deployment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.753Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe85ab
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 8:26:52 AM
Last updated: 8/1/2025, 2:51:59 AM
Views: 17
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.