CVE-2025-21719: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708
AI Analysis
Technical Summary
CVE-2025-21719 is a vulnerability identified in the Linux kernel's IP multicast routing (ipmr) subsystem. Specifically, the issue arises from the function mr_mfc_uses_dev() being called for unresolved multicast forwarding cache (mfc) entries. These unresolved entries (unres entries) are represented by a structure aliasing to 'struct sk_buff_head unresolved', which contains two pointers. The improper handling and invocation of mr_mfc_uses_dev() on these unresolved entries leads to a kernel crash due to an invalid memory access, as evidenced by the kernel paging request failure and KASAN (Kernel Address Sanitizer) warnings. The crash occurs because the code attempts to dereference pointers that are not valid in this context, resulting in a wild memory access. The vulnerability was discovered by syzbot, an automated kernel fuzzer, and affects the Linux kernel version 6.13.0-rc7 and potentially other versions containing the flawed code. The root cause is a logic error where the code path calls mr_mfc_uses_dev() on unresolved multicast forwarding cache entries, which was never a valid operation. The fix involves removing this erroneous call to prevent the kernel from crashing. This vulnerability impacts the stability and reliability of systems running affected Linux kernel versions, particularly those utilizing IP multicast routing features. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with IP multicast routing enabled. Multicast routing is often used in enterprise networks for efficient distribution of data streams such as video conferencing, IPTV, and real-time data feeds. A kernel crash triggered by this vulnerability can lead to denial of service (DoS), causing system downtime and potential disruption of critical services. Organizations relying on multicast for internal communications or service delivery may experience interruptions, impacting operational continuity. Additionally, kernel crashes can lead to data loss or corruption if occurring during critical operations. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting instability could be exploited by attackers to cause persistent denial of service. European entities with infrastructure running Linux kernels in data centers, cloud environments, or embedded systems that utilize multicast routing are at risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future exploitation once the vulnerability becomes widely known.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that remove the erroneous call to mr_mfc_uses_dev() for unresolved entries as soon as they are available. Monitor Linux kernel mailing lists and vendor advisories for updates. 2. Kernel version management: Avoid deploying or continue using Linux kernel versions known to contain this vulnerability (e.g., 6.13.0-rc7) in production environments until patched versions are released. 3. Disable multicast routing if not required: For systems that do not require IP multicast routing, disable the ipmr subsystem to reduce the attack surface. 4. Implement kernel crash monitoring: Deploy monitoring tools that can detect kernel panics or crashes promptly to enable rapid incident response and system recovery. 5. Network segmentation: Limit exposure of multicast routing services to trusted network segments to reduce the likelihood of triggering the vulnerability from untrusted sources. 6. Conduct thorough testing: Before deploying kernel updates, perform regression testing in controlled environments to ensure stability and compatibility with existing multicast routing configurations. 7. Maintain backups and recovery plans: Ensure that critical data and system states are regularly backed up to mitigate the impact of potential crashes and facilitate quick restoration.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland
CVE-2025-21719: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708
AI-Powered Analysis
Technical Analysis
CVE-2025-21719 is a vulnerability identified in the Linux kernel's IP multicast routing (ipmr) subsystem. Specifically, the issue arises from the function mr_mfc_uses_dev() being called for unresolved multicast forwarding cache (mfc) entries. These unresolved entries (unres entries) are represented by a structure aliasing to 'struct sk_buff_head unresolved', which contains two pointers. The improper handling and invocation of mr_mfc_uses_dev() on these unresolved entries leads to a kernel crash due to an invalid memory access, as evidenced by the kernel paging request failure and KASAN (Kernel Address Sanitizer) warnings. The crash occurs because the code attempts to dereference pointers that are not valid in this context, resulting in a wild memory access. The vulnerability was discovered by syzbot, an automated kernel fuzzer, and affects the Linux kernel version 6.13.0-rc7 and potentially other versions containing the flawed code. The root cause is a logic error where the code path calls mr_mfc_uses_dev() on unresolved multicast forwarding cache entries, which was never a valid operation. The fix involves removing this erroneous call to prevent the kernel from crashing. This vulnerability impacts the stability and reliability of systems running affected Linux kernel versions, particularly those utilizing IP multicast routing features. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with IP multicast routing enabled. Multicast routing is often used in enterprise networks for efficient distribution of data streams such as video conferencing, IPTV, and real-time data feeds. A kernel crash triggered by this vulnerability can lead to denial of service (DoS), causing system downtime and potential disruption of critical services. Organizations relying on multicast for internal communications or service delivery may experience interruptions, impacting operational continuity. Additionally, kernel crashes can lead to data loss or corruption if occurring during critical operations. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting instability could be exploited by attackers to cause persistent denial of service. European entities with infrastructure running Linux kernels in data centers, cloud environments, or embedded systems that utilize multicast routing are at risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future exploitation once the vulnerability becomes widely known.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that remove the erroneous call to mr_mfc_uses_dev() for unresolved entries as soon as they are available. Monitor Linux kernel mailing lists and vendor advisories for updates. 2. Kernel version management: Avoid deploying or continue using Linux kernel versions known to contain this vulnerability (e.g., 6.13.0-rc7) in production environments until patched versions are released. 3. Disable multicast routing if not required: For systems that do not require IP multicast routing, disable the ipmr subsystem to reduce the attack surface. 4. Implement kernel crash monitoring: Deploy monitoring tools that can detect kernel panics or crashes promptly to enable rapid incident response and system recovery. 5. Network segmentation: Limit exposure of multicast routing services to trusted network segments to reduce the likelihood of triggering the vulnerability from untrusted sources. 6. Conduct thorough testing: Before deploying kernel updates, perform regression testing in controlled environments to ensure stability and compatibility with existing multicast routing configurations. 7. Maintain backups and recovery plans: Ensure that critical data and system states are regularly backed up to mitigate the impact of potential crashes and facilitate quick restoration.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.753Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe85b3
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 8:27:12 AM
Last updated: 7/26/2025, 8:33:59 PM
Views: 15
Related Threats
CVE-2025-8834: Cross Site Scripting in JCG Link-net LW-N915R
MediumCVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.