CVE-2025-21806: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: let net.core.dev_weight always be non-zero The following problem was encountered during stability test: (NULL net_device): NAPI poll function process_backlog+0x0/0x530 \ returned 1, exceeding its budget of 0. ------------[ cut here ]------------ list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \ next=ffff88905f746e40. WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \ __list_add_valid_or_report+0xf3/0x130 CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+ RIP: 0010:__list_add_valid_or_report+0xf3/0x130 Call Trace: ? __warn+0xcd/0x250 ? __list_add_valid_or_report+0xf3/0x130 enqueue_to_backlog+0x923/0x1070 netif_rx_internal+0x92/0x2b0 __netif_rx+0x15/0x170 loopback_xmit+0x2ef/0x450 dev_hard_start_xmit+0x103/0x490 __dev_queue_xmit+0xeac/0x1950 ip_finish_output2+0x6cc/0x1620 ip_output+0x161/0x270 ip_push_pending_frames+0x155/0x1a0 raw_sendmsg+0xe13/0x1550 __sys_sendto+0x3bf/0x4e0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x5b/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e The reproduction command is as follows: sysctl -w net.core.dev_weight=0 ping 127.0.0.1 This is because when the napi's weight is set to 0, process_backlog() may return 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing this napi to be re-polled in net_rx_action() until __do_softirq() times out. Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can be retriggered in enqueue_to_backlog(), causing this issue. Making the napi's weight always non-zero solves this problem. Triggering this issue requires system-wide admin (setting is not namespaced).
AI Analysis
Technical Summary
CVE-2025-21806 is a vulnerability identified in the Linux kernel related to the network subsystem's handling of the net.core.dev_weight parameter, which controls the weight of the NAPI (New API) poll function. The issue arises when net.core.dev_weight is set to zero, which is an invalid state that leads to improper handling of the NAPI poll budget. Specifically, the process_backlog() function may return 1 despite having a budget of 0, causing the NAPI poll function to exceed its allocated processing time. This triggers a chain of events where the NAPI_STATE_SCHED bit in napi->state is cleared prematurely, leading to repeated re-polling of the NAPI instance in net_rx_action() until the softirq processing times out. Concurrently, the enqueue_to_backlog() function can retrigger napi_schedule_rps(), causing a double addition to the linked list that manages backlog packets. This results in kernel warnings and potential instability, including list corruption and CPU warnings as shown in the kernel logs. The vulnerability requires administrative privileges to set net.core.dev_weight to zero, which is a system-wide setting and not namespaced, meaning it affects the entire system. The root cause is that the kernel did not enforce a non-zero minimum value for net.core.dev_weight, allowing an invalid configuration that leads to kernel instability and potential denial of service (DoS). The fix involves ensuring that net.core.dev_weight is always non-zero, preventing the invalid state and the resulting kernel processing anomalies. No known exploits are currently reported in the wild, and the vulnerability was published on February 27, 2025. The affected versions correspond to a specific Linux kernel commit hash e3876605450979fe52a1a03e7eb78a89bf59e76a, indicating a narrow range of impacted kernel builds around version 6.13.0-rc7+.
Potential Impact
For European organizations, the impact of CVE-2025-21806 primarily revolves around system stability and availability. Since the vulnerability can cause kernel warnings, list corruption, and softirq timeouts, it can lead to system crashes or degraded network performance, effectively resulting in denial of service conditions. Organizations relying on Linux-based infrastructure—such as servers, network appliances, and embedded systems—may experience outages or degraded service if an attacker or misconfigured administrator sets net.core.dev_weight to zero. Although exploitation requires administrative privileges, insider threats or compromised administrative accounts could trigger this vulnerability intentionally or accidentally. This could disrupt critical services, especially in sectors like finance, telecommunications, healthcare, and government, where Linux servers are prevalent. Additionally, the instability may complicate incident response and recovery efforts. Given that the vulnerability affects the kernel's network stack, it could impact network throughput and reliability, affecting distributed systems and cloud environments widely used by European enterprises. However, since no remote exploitation vector is indicated and user interaction is not required, the risk of external attackers exploiting this vulnerability remotely is low. The main risk is from privileged users or automated scripts misconfiguring the system.
Mitigation Recommendations
To mitigate CVE-2025-21806, European organizations should: 1) Immediately apply the Linux kernel patch that enforces a non-zero minimum value for net.core.dev_weight once it is available from their Linux distribution vendors. 2) Implement strict access controls and auditing on administrative accounts to prevent unauthorized or accidental changes to kernel parameters, especially net.core.dev_weight. 3) Monitor system logs for kernel warnings related to list corruption or NAPI scheduling anomalies to detect potential exploitation or misconfiguration early. 4) Use configuration management tools to enforce valid kernel parameter settings and prevent setting net.core.dev_weight to zero. 5) In environments where kernel upgrades are delayed, consider restricting the ability to modify net.core.dev_weight via sysctl by limiting root access or using security modules like SELinux or AppArmor to control sysctl modifications. 6) Conduct regular kernel and system stability testing after configuration changes to detect any adverse effects promptly. 7) Educate system administrators about the risks of setting net.core.dev_weight to zero and the importance of adhering to recommended kernel parameter values. These steps go beyond generic advice by focusing on preventing the specific misconfiguration that triggers the vulnerability and ensuring rapid detection and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-21806: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: let net.core.dev_weight always be non-zero The following problem was encountered during stability test: (NULL net_device): NAPI poll function process_backlog+0x0/0x530 \ returned 1, exceeding its budget of 0. ------------[ cut here ]------------ list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \ next=ffff88905f746e40. WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \ __list_add_valid_or_report+0xf3/0x130 CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+ RIP: 0010:__list_add_valid_or_report+0xf3/0x130 Call Trace: ? __warn+0xcd/0x250 ? __list_add_valid_or_report+0xf3/0x130 enqueue_to_backlog+0x923/0x1070 netif_rx_internal+0x92/0x2b0 __netif_rx+0x15/0x170 loopback_xmit+0x2ef/0x450 dev_hard_start_xmit+0x103/0x490 __dev_queue_xmit+0xeac/0x1950 ip_finish_output2+0x6cc/0x1620 ip_output+0x161/0x270 ip_push_pending_frames+0x155/0x1a0 raw_sendmsg+0xe13/0x1550 __sys_sendto+0x3bf/0x4e0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x5b/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e The reproduction command is as follows: sysctl -w net.core.dev_weight=0 ping 127.0.0.1 This is because when the napi's weight is set to 0, process_backlog() may return 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing this napi to be re-polled in net_rx_action() until __do_softirq() times out. Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can be retriggered in enqueue_to_backlog(), causing this issue. Making the napi's weight always non-zero solves this problem. Triggering this issue requires system-wide admin (setting is not namespaced).
AI-Powered Analysis
Technical Analysis
CVE-2025-21806 is a vulnerability identified in the Linux kernel related to the network subsystem's handling of the net.core.dev_weight parameter, which controls the weight of the NAPI (New API) poll function. The issue arises when net.core.dev_weight is set to zero, which is an invalid state that leads to improper handling of the NAPI poll budget. Specifically, the process_backlog() function may return 1 despite having a budget of 0, causing the NAPI poll function to exceed its allocated processing time. This triggers a chain of events where the NAPI_STATE_SCHED bit in napi->state is cleared prematurely, leading to repeated re-polling of the NAPI instance in net_rx_action() until the softirq processing times out. Concurrently, the enqueue_to_backlog() function can retrigger napi_schedule_rps(), causing a double addition to the linked list that manages backlog packets. This results in kernel warnings and potential instability, including list corruption and CPU warnings as shown in the kernel logs. The vulnerability requires administrative privileges to set net.core.dev_weight to zero, which is a system-wide setting and not namespaced, meaning it affects the entire system. The root cause is that the kernel did not enforce a non-zero minimum value for net.core.dev_weight, allowing an invalid configuration that leads to kernel instability and potential denial of service (DoS). The fix involves ensuring that net.core.dev_weight is always non-zero, preventing the invalid state and the resulting kernel processing anomalies. No known exploits are currently reported in the wild, and the vulnerability was published on February 27, 2025. The affected versions correspond to a specific Linux kernel commit hash e3876605450979fe52a1a03e7eb78a89bf59e76a, indicating a narrow range of impacted kernel builds around version 6.13.0-rc7+.
Potential Impact
For European organizations, the impact of CVE-2025-21806 primarily revolves around system stability and availability. Since the vulnerability can cause kernel warnings, list corruption, and softirq timeouts, it can lead to system crashes or degraded network performance, effectively resulting in denial of service conditions. Organizations relying on Linux-based infrastructure—such as servers, network appliances, and embedded systems—may experience outages or degraded service if an attacker or misconfigured administrator sets net.core.dev_weight to zero. Although exploitation requires administrative privileges, insider threats or compromised administrative accounts could trigger this vulnerability intentionally or accidentally. This could disrupt critical services, especially in sectors like finance, telecommunications, healthcare, and government, where Linux servers are prevalent. Additionally, the instability may complicate incident response and recovery efforts. Given that the vulnerability affects the kernel's network stack, it could impact network throughput and reliability, affecting distributed systems and cloud environments widely used by European enterprises. However, since no remote exploitation vector is indicated and user interaction is not required, the risk of external attackers exploiting this vulnerability remotely is low. The main risk is from privileged users or automated scripts misconfiguring the system.
Mitigation Recommendations
To mitigate CVE-2025-21806, European organizations should: 1) Immediately apply the Linux kernel patch that enforces a non-zero minimum value for net.core.dev_weight once it is available from their Linux distribution vendors. 2) Implement strict access controls and auditing on administrative accounts to prevent unauthorized or accidental changes to kernel parameters, especially net.core.dev_weight. 3) Monitor system logs for kernel warnings related to list corruption or NAPI scheduling anomalies to detect potential exploitation or misconfiguration early. 4) Use configuration management tools to enforce valid kernel parameter settings and prevent setting net.core.dev_weight to zero. 5) In environments where kernel upgrades are delayed, consider restricting the ability to modify net.core.dev_weight via sysctl by limiting root access or using security modules like SELinux or AppArmor to control sysctl modifications. 6) Conduct regular kernel and system stability testing after configuration changes to detect any adverse effects promptly. 7) Educate system administrators about the risks of setting net.core.dev_weight to zero and the importance of adhering to recommended kernel parameter values. These steps go beyond generic advice by focusing on preventing the specific misconfiguration that triggers the vulnerability and ensuring rapid detection and remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.771Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe88bb
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 9:25:26 AM
Last updated: 8/14/2025, 10:07:09 AM
Views: 15
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.