CVE-2025-21812: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ax25: rcu protect dev->ax25_ptr syzbot found a lockdep issue [1]. We should remove ax25 RTNL dependency in ax25_setsockopt() This should also fix a variety of possible UAF in ax25. [1] WARNING: possible circular locking dependency detected 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted ------------------------------------------------------ syz.5.1818/12806 is trying to acquire lock: ffffffff8fcb3988 (rtnl_mutex){+.+.}-{4:4}, at: ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 but task is already holding lock: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (sk_lock-AF_AX25){+.+.}-{0:0}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 lock_sock_nested+0x48/0x100 net/core/sock.c:3642 lock_sock include/net/sock.h:1618 [inline] ax25_kill_by_device net/ax25/af_ax25.c:101 [inline] ax25_device_event+0x24d/0x580 net/ax25/af_ax25.c:146 notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85 __dev_notify_flags+0x207/0x400 dev_change_flags+0xf0/0x1a0 net/core/dev.c:9026 dev_ifsioc+0x7c8/0xe70 net/core/dev_ioctl.c:563 dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:820 sock_do_ioctl+0x240/0x460 net/socket.c:1234 sock_ioctl+0x626/0x8e0 net/socket.c:1339 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (rtnl_mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735 ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 do_sock_setsockopt+0x3af/0x720 net/socket.c:2324 __sys_setsockopt net/socket.c:2349 [inline] __do_sys_setsockopt net/socket.c:2355 [inline] __se_sys_setsockopt net/socket.c:2352 [inline] __x64_sys_setsockopt+0x1ee/0x280 net/socket.c:2352 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_AX25); lock(rtnl_mutex); lock(sk_lock-AF_AX25); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz.5.1818/12806: #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 stack backtrace: CPU: 1 UID: 0 PID: 12806 Comm: syz.5.1818 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/lockin ---truncated---
AI Analysis
Technical Summary
CVE-2025-21812 is a high-severity vulnerability identified in the Linux kernel, specifically within the AX.25 protocol implementation (net/ax25/af_ax25.c). The issue arises from a circular locking dependency involving the rtnl_mutex and sk_lock-AF_AX25 locks, which can lead to deadlocks and potential use-after-free (UAF) conditions. The vulnerability was discovered by syzbot, an automated kernel fuzzer, which detected a lockdep warning indicating a possible circular locking dependency. The root cause is the ax25_setsockopt() function holding the sk_lock-AF_AX25 lock while attempting to acquire the rtnl_mutex, which itself depends on the sk_lock-AF_AX25 lock, creating a circular dependency. This unsafe locking scenario can cause deadlocks and UAF vulnerabilities, potentially allowing an attacker with limited privileges (local access with low privileges) to escalate their privileges or cause denial of service by crashing the kernel or corrupting kernel memory. The CVSS v3.1 score is 7.8 (high), reflecting high impact on confidentiality, integrity, and availability, with low attack complexity but requiring low privileges and no user interaction. The vulnerability affects multiple Linux kernel versions, including recent development releases (6.13.0-rc3) and others identified by specific commit hashes. The issue is related to CWE-416 (Use After Free), indicating memory safety problems. No known exploits are currently reported in the wild, but the vulnerability's nature and kernel-level impact make it a significant risk. The recommended fix involves removing the ax25 RTNL dependency in ax25_setsockopt() to break the circular locking chain and prevent UAF conditions.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Linux-based infrastructure, including servers, embedded systems, and network devices that utilize the AX.25 protocol (commonly used in amateur radio and some specialized communication systems). Exploitation could lead to kernel crashes, denial of service, or privilege escalation, compromising system confidentiality, integrity, and availability. Critical infrastructure sectors such as telecommunications, research institutions, and defense-related organizations that may use Linux kernels with AX.25 support could be particularly vulnerable. The vulnerability's requirement for local access limits remote exploitation but does not eliminate risk, as attackers gaining initial footholds through other means could leverage this flaw to escalate privileges or disrupt services. Given the widespread use of Linux in European data centers and cloud environments, unpatched systems could face operational disruptions and potential data breaches. The absence of known exploits in the wild provides a window for proactive mitigation, but the high severity score demands urgent attention.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as vendor updates become available, focusing on kernels that include AX.25 protocol support. Where immediate patching is not feasible, organizations should: 1) Restrict local access to trusted users only, minimizing the risk of exploitation by unprivileged users. 2) Employ kernel lockdown features and mandatory access controls (e.g., SELinux, AppArmor) to limit the ability of local users to interact with kernel networking components. 3) Monitor system logs for unusual locking or kernel warnings that might indicate exploitation attempts. 4) Disable AX.25 protocol support if it is not required for operational purposes to reduce the attack surface. 5) Use kernel live patching solutions where supported to apply fixes without downtime. 6) Conduct thorough security audits of local user privileges and network socket configurations to prevent unauthorized access. These steps go beyond generic advice by focusing on the specific locking and protocol context of the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain, Belgium
CVE-2025-21812: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ax25: rcu protect dev->ax25_ptr syzbot found a lockdep issue [1]. We should remove ax25 RTNL dependency in ax25_setsockopt() This should also fix a variety of possible UAF in ax25. [1] WARNING: possible circular locking dependency detected 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted ------------------------------------------------------ syz.5.1818/12806 is trying to acquire lock: ffffffff8fcb3988 (rtnl_mutex){+.+.}-{4:4}, at: ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 but task is already holding lock: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (sk_lock-AF_AX25){+.+.}-{0:0}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 lock_sock_nested+0x48/0x100 net/core/sock.c:3642 lock_sock include/net/sock.h:1618 [inline] ax25_kill_by_device net/ax25/af_ax25.c:101 [inline] ax25_device_event+0x24d/0x580 net/ax25/af_ax25.c:146 notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85 __dev_notify_flags+0x207/0x400 dev_change_flags+0xf0/0x1a0 net/core/dev.c:9026 dev_ifsioc+0x7c8/0xe70 net/core/dev_ioctl.c:563 dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:820 sock_do_ioctl+0x240/0x460 net/socket.c:1234 sock_ioctl+0x626/0x8e0 net/socket.c:1339 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (rtnl_mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735 ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 do_sock_setsockopt+0x3af/0x720 net/socket.c:2324 __sys_setsockopt net/socket.c:2349 [inline] __do_sys_setsockopt net/socket.c:2355 [inline] __se_sys_setsockopt net/socket.c:2352 [inline] __x64_sys_setsockopt+0x1ee/0x280 net/socket.c:2352 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_AX25); lock(rtnl_mutex); lock(sk_lock-AF_AX25); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz.5.1818/12806: #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 stack backtrace: CPU: 1 UID: 0 PID: 12806 Comm: syz.5.1818 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/lockin ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21812 is a high-severity vulnerability identified in the Linux kernel, specifically within the AX.25 protocol implementation (net/ax25/af_ax25.c). The issue arises from a circular locking dependency involving the rtnl_mutex and sk_lock-AF_AX25 locks, which can lead to deadlocks and potential use-after-free (UAF) conditions. The vulnerability was discovered by syzbot, an automated kernel fuzzer, which detected a lockdep warning indicating a possible circular locking dependency. The root cause is the ax25_setsockopt() function holding the sk_lock-AF_AX25 lock while attempting to acquire the rtnl_mutex, which itself depends on the sk_lock-AF_AX25 lock, creating a circular dependency. This unsafe locking scenario can cause deadlocks and UAF vulnerabilities, potentially allowing an attacker with limited privileges (local access with low privileges) to escalate their privileges or cause denial of service by crashing the kernel or corrupting kernel memory. The CVSS v3.1 score is 7.8 (high), reflecting high impact on confidentiality, integrity, and availability, with low attack complexity but requiring low privileges and no user interaction. The vulnerability affects multiple Linux kernel versions, including recent development releases (6.13.0-rc3) and others identified by specific commit hashes. The issue is related to CWE-416 (Use After Free), indicating memory safety problems. No known exploits are currently reported in the wild, but the vulnerability's nature and kernel-level impact make it a significant risk. The recommended fix involves removing the ax25 RTNL dependency in ax25_setsockopt() to break the circular locking chain and prevent UAF conditions.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Linux-based infrastructure, including servers, embedded systems, and network devices that utilize the AX.25 protocol (commonly used in amateur radio and some specialized communication systems). Exploitation could lead to kernel crashes, denial of service, or privilege escalation, compromising system confidentiality, integrity, and availability. Critical infrastructure sectors such as telecommunications, research institutions, and defense-related organizations that may use Linux kernels with AX.25 support could be particularly vulnerable. The vulnerability's requirement for local access limits remote exploitation but does not eliminate risk, as attackers gaining initial footholds through other means could leverage this flaw to escalate privileges or disrupt services. Given the widespread use of Linux in European data centers and cloud environments, unpatched systems could face operational disruptions and potential data breaches. The absence of known exploits in the wild provides a window for proactive mitigation, but the high severity score demands urgent attention.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as vendor updates become available, focusing on kernels that include AX.25 protocol support. Where immediate patching is not feasible, organizations should: 1) Restrict local access to trusted users only, minimizing the risk of exploitation by unprivileged users. 2) Employ kernel lockdown features and mandatory access controls (e.g., SELinux, AppArmor) to limit the ability of local users to interact with kernel networking components. 3) Monitor system logs for unusual locking or kernel warnings that might indicate exploitation attempts. 4) Disable AX.25 protocol support if it is not required for operational purposes to reduce the attack surface. 5) Use kernel live patching solutions where supported to apply fixes without downtime. 6) Conduct thorough security audits of local user privileges and network socket configurations to prevent unauthorized access. These steps go beyond generic advice by focusing on the specific locking and protocol context of the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.774Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd357
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 2:26:38 PM
Last updated: 8/16/2025, 10:56:03 PM
Views: 16
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.