CVE-2025-21813: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: timers/migration: Fix off-by-one root mis-connection Before attaching a new root to the old root, the children counter of the new root is checked to verify that only the upcoming CPU's top group have been connected to it. However since the recently added commit b729cc1ec21a ("timers/migration: Fix another race between hotplug and idle entry/exit") this check is not valid anymore because the old root is pre-accounted as a child to the new root. Therefore after connecting the upcoming CPU's top group to the new root, the children count to be expected must be 2 and not 1 anymore. This omission results in the old root to not be connected to the new root. Then eventually the system may run with more than one top level, which defeats the purpose of a single idle migrator. Also the old root is pre-accounted but not connected upon the new root creation. But it can be connected to the new root later on. Therefore the old root may be accounted twice to the new root. The propagation of such overcommit can end up creating a double final top-level root with a groupmask incorrectly initialized. Although harmless given that the final top level roots will never have a parent to walk up to, this oddity opportunistically reported the core issue: WARNING: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote CPU: 8 UID: 0 PID: 0 Comm: swapper/8 RIP: 0010:tmigr_requires_handle_remote Call Trace: <IRQ> ? tmigr_requires_handle_remote ? hrtimer_run_queues update_process_times tick_periodic tick_handle_periodic __sysvec_apic_timer_interrupt sysvec_apic_timer_interrupt </IRQ> Fix the problem by taking the old root into account in the children count of the new root so the connection is not omitted. Also warn when more than one top level group exists to better detect similar issues in the future.
AI Analysis
Technical Summary
CVE-2025-21813 is a vulnerability identified in the Linux kernel's timer migration subsystem, specifically related to the management of CPU idle migrator root groups. The issue arises from an off-by-one error in the children count verification logic when attaching a new root group to an old root group during CPU hotplug or idle state transitions. A recent kernel commit intended to fix a race condition between CPU hotplug events and idle entry/exit inadvertently invalidated the previous children count check. The old root group is pre-accounted as a child of the new root, but this was not properly considered in the children count validation, leading to the old root not being connected to the new root. Consequently, the system may operate with multiple top-level idle migrator roots instead of a single unified root, undermining the intended hierarchical CPU idle management. Additionally, the old root can be accounted twice to the new root, causing an overcommitment that results in a double final top-level root with an incorrectly initialized groupmask. While this anomaly does not directly cause system crashes or immediate functional failures, it triggers kernel warnings and represents a structural inconsistency in CPU idle group management. The vulnerability could potentially affect system stability or performance under specific workloads involving CPU hotplug or idle state transitions. The fix involves adjusting the children count check to properly account for the old root during new root attachment and adding warnings when multiple top-level groups are detected to aid future diagnostics. No known exploits are reported in the wild, and the vulnerability affects specific Linux kernel versions identified by commit hashes.
Potential Impact
For European organizations relying on Linux-based infrastructure, particularly those running kernel versions affected by this vulnerability, the impact is primarily related to system stability and performance degradation rather than direct security compromise. Systems with frequent CPU hotplug events or dynamic CPU power management may experience inconsistent CPU idle state management, potentially leading to inefficient CPU utilization or unexpected behavior in timer migration. While the vulnerability does not appear to allow privilege escalation, code execution, or data leakage, the kernel warnings and structural inconsistencies could complicate system diagnostics and maintenance. In critical environments such as data centers, cloud providers, or industrial control systems where Linux kernels are heavily customized and CPU hotplugging is common, this issue might increase the risk of subtle performance anomalies or complicate incident response. However, since no active exploitation is known and the vulnerability does not directly expose sensitive information or allow unauthorized access, the immediate security risk is moderate. Organizations should still prioritize patching to maintain kernel integrity and prevent potential cascading issues in complex CPU management scenarios.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify Linux systems running affected kernel versions by matching the provided commit hashes or kernel version details. 2) Apply the official Linux kernel patches that address CVE-2025-21813 as soon as they become available from trusted sources or Linux distribution maintainers. 3) For environments where immediate patching is not feasible, monitor kernel logs for warnings related to multiple top-level idle migrator groups or timer migration anomalies to detect potential manifestations of this issue. 4) Review CPU hotplug and power management configurations to minimize unnecessary CPU state transitions that could trigger the vulnerability. 5) Engage with Linux distribution vendors to confirm backport status of the fix in enterprise kernel versions and plan coordinated updates. 6) Incorporate this vulnerability into system health checks and incident response playbooks to ensure timely detection and remediation. 7) Test kernel updates in staging environments to verify stability and performance before production deployment, given the kernel subsystem affected involves low-level CPU management.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-21813: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: timers/migration: Fix off-by-one root mis-connection Before attaching a new root to the old root, the children counter of the new root is checked to verify that only the upcoming CPU's top group have been connected to it. However since the recently added commit b729cc1ec21a ("timers/migration: Fix another race between hotplug and idle entry/exit") this check is not valid anymore because the old root is pre-accounted as a child to the new root. Therefore after connecting the upcoming CPU's top group to the new root, the children count to be expected must be 2 and not 1 anymore. This omission results in the old root to not be connected to the new root. Then eventually the system may run with more than one top level, which defeats the purpose of a single idle migrator. Also the old root is pre-accounted but not connected upon the new root creation. But it can be connected to the new root later on. Therefore the old root may be accounted twice to the new root. The propagation of such overcommit can end up creating a double final top-level root with a groupmask incorrectly initialized. Although harmless given that the final top level roots will never have a parent to walk up to, this oddity opportunistically reported the core issue: WARNING: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote CPU: 8 UID: 0 PID: 0 Comm: swapper/8 RIP: 0010:tmigr_requires_handle_remote Call Trace: <IRQ> ? tmigr_requires_handle_remote ? hrtimer_run_queues update_process_times tick_periodic tick_handle_periodic __sysvec_apic_timer_interrupt sysvec_apic_timer_interrupt </IRQ> Fix the problem by taking the old root into account in the children count of the new root so the connection is not omitted. Also warn when more than one top level group exists to better detect similar issues in the future.
AI-Powered Analysis
Technical Analysis
CVE-2025-21813 is a vulnerability identified in the Linux kernel's timer migration subsystem, specifically related to the management of CPU idle migrator root groups. The issue arises from an off-by-one error in the children count verification logic when attaching a new root group to an old root group during CPU hotplug or idle state transitions. A recent kernel commit intended to fix a race condition between CPU hotplug events and idle entry/exit inadvertently invalidated the previous children count check. The old root group is pre-accounted as a child of the new root, but this was not properly considered in the children count validation, leading to the old root not being connected to the new root. Consequently, the system may operate with multiple top-level idle migrator roots instead of a single unified root, undermining the intended hierarchical CPU idle management. Additionally, the old root can be accounted twice to the new root, causing an overcommitment that results in a double final top-level root with an incorrectly initialized groupmask. While this anomaly does not directly cause system crashes or immediate functional failures, it triggers kernel warnings and represents a structural inconsistency in CPU idle group management. The vulnerability could potentially affect system stability or performance under specific workloads involving CPU hotplug or idle state transitions. The fix involves adjusting the children count check to properly account for the old root during new root attachment and adding warnings when multiple top-level groups are detected to aid future diagnostics. No known exploits are reported in the wild, and the vulnerability affects specific Linux kernel versions identified by commit hashes.
Potential Impact
For European organizations relying on Linux-based infrastructure, particularly those running kernel versions affected by this vulnerability, the impact is primarily related to system stability and performance degradation rather than direct security compromise. Systems with frequent CPU hotplug events or dynamic CPU power management may experience inconsistent CPU idle state management, potentially leading to inefficient CPU utilization or unexpected behavior in timer migration. While the vulnerability does not appear to allow privilege escalation, code execution, or data leakage, the kernel warnings and structural inconsistencies could complicate system diagnostics and maintenance. In critical environments such as data centers, cloud providers, or industrial control systems where Linux kernels are heavily customized and CPU hotplugging is common, this issue might increase the risk of subtle performance anomalies or complicate incident response. However, since no active exploitation is known and the vulnerability does not directly expose sensitive information or allow unauthorized access, the immediate security risk is moderate. Organizations should still prioritize patching to maintain kernel integrity and prevent potential cascading issues in complex CPU management scenarios.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify Linux systems running affected kernel versions by matching the provided commit hashes or kernel version details. 2) Apply the official Linux kernel patches that address CVE-2025-21813 as soon as they become available from trusted sources or Linux distribution maintainers. 3) For environments where immediate patching is not feasible, monitor kernel logs for warnings related to multiple top-level idle migrator groups or timer migration anomalies to detect potential manifestations of this issue. 4) Review CPU hotplug and power management configurations to minimize unnecessary CPU state transitions that could trigger the vulnerability. 5) Engage with Linux distribution vendors to confirm backport status of the fix in enterprise kernel versions and plan coordinated updates. 6) Incorporate this vulnerability into system health checks and incident response playbooks to ensure timely detection and remediation. 7) Test kernel updates in staging environments to verify stability and performance before production deployment, given the kernel subsystem affected involves low-level CPU management.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.774Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe88f3
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 9:26:21 AM
Last updated: 7/28/2025, 2:50:31 PM
Views: 14
Related Threats
CVE-2025-8885: CWE-770 Allocation of Resources Without Limits or Throttling in Legion of the Bouncy Castle Inc. Bouncy Castle for Java
MediumCVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.