CVE-2025-21823: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: batman-adv: Drop unmanaged ELP metric worker The ELP worker needs to calculate new metric values for all neighbors "reachable" over an interface. Some of the used metric sources require locks which might need to sleep. This sleep is incompatible with the RCU list iterator used for the recorded neighbors. The initial approach to work around of this problem was to queue another work item per neighbor and then run this in a new context. Even when this solved the RCU vs might_sleep() conflict, it has a major problems: Nothing was stopping the work item in case it is not needed anymore - for example because one of the related interfaces was removed or the batman-adv module was unloaded - resulting in potential invalid memory accesses. Directly canceling the metric worker also has various problems: * cancel_work_sync for a to-be-deactivated interface is called with rtnl_lock held. But the code in the ELP metric worker also tries to use rtnl_lock() - which will never return in this case. This also means that cancel_work_sync would never return because it is waiting for the worker to finish. * iterating over the neighbor list for the to-be-deactivated interface is currently done using the RCU specific methods. Which means that it is possible to miss items when iterating over it without the associated spinlock - a behaviour which is acceptable for a periodic metric check but not for a cleanup routine (which must "stop" all still running workers) The better approch is to get rid of the per interface neighbor metric worker and handle everything in the interface worker. The original problems are solved by: * creating a list of neighbors which require new metric information inside the RCU protected context, gathering the metric according to the new list outside the RCU protected context * only use rcu_trylock inside metric gathering code to avoid a deadlock when the cancel_delayed_work_sync is called in the interface removal code (which is called with the rtnl_lock held)
AI Analysis
Technical Summary
CVE-2025-21823 is a vulnerability identified in the Linux kernel's batman-adv (Better Approach To Mobile Adhoc Networking - advanced) module, which is responsible for mesh networking functionality. The issue arises from the handling of the ELP (Echo Location Protocol) metric worker, which calculates metric values for neighbors reachable over an interface. The original implementation used a per-neighbor work item queued to handle metric calculations, but this approach had significant flaws. Specifically, there was no mechanism to stop these work items if they became unnecessary, such as when an interface was removed or the batman-adv module was unloaded. This could lead to invalid memory accesses, causing potential kernel crashes or undefined behavior. Attempts to cancel these work items synchronously (using cancel_work_sync) led to deadlocks because the cancellation was performed while holding the rtnl_lock, which the worker also tried to acquire, causing a circular wait. Additionally, the iteration over neighbor lists used RCU (Read-Copy-Update) methods without proper locking, which is acceptable for periodic metric checks but unsafe for cleanup routines that must ensure all workers are stopped. The fix involves removing the per-interface neighbor metric worker and consolidating metric gathering into the interface worker. This approach creates a list of neighbors needing metric updates within an RCU-protected context and performs metric gathering outside this context. It also uses rcu_trylock to avoid deadlocks during interface removal when cancel_delayed_work_sync is called with rtnl_lock held. This redesign prevents invalid memory accesses, deadlocks, and ensures proper cleanup of worker threads during interface or module teardown.
Potential Impact
For European organizations, especially those relying on Linux-based infrastructure for networking, including mesh networks or embedded systems using batman-adv, this vulnerability could lead to system instability or denial of service due to kernel crashes or deadlocks. While there is no indication of remote code execution or privilege escalation, the potential for invalid memory access and deadlocks can disrupt critical network services, impacting availability. Organizations operating in sectors such as telecommunications, public safety, transportation, and industrial control systems that utilize mesh networking may experience outages or degraded performance. Additionally, embedded devices running vulnerable Linux kernels could be affected, potentially impacting IoT deployments common in smart city initiatives across Europe. The lack of known exploits in the wild reduces immediate risk, but the complexity of the issue and its kernel-level nature mean that unpatched systems remain vulnerable to stability issues, which could be exploited indirectly by attackers aiming to cause disruption.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue is in the batman-adv module, systems not using this module are not directly affected, so auditing and disabling unused kernel modules can reduce exposure. For systems requiring batman-adv, ensure kernel updates are applied promptly. Network administrators should monitor system logs for signs of kernel panics or deadlocks related to batman-adv. In environments where kernel updates are delayed, consider isolating affected systems or limiting interface removals and module unload operations to maintenance windows to reduce the risk of triggering the vulnerability. Additionally, testing kernel updates in staging environments before deployment can prevent unexpected downtime. For embedded devices, coordinate with vendors to obtain patched firmware. Finally, implement robust backup and recovery procedures to mitigate potential service disruptions caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark
CVE-2025-21823: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: batman-adv: Drop unmanaged ELP metric worker The ELP worker needs to calculate new metric values for all neighbors "reachable" over an interface. Some of the used metric sources require locks which might need to sleep. This sleep is incompatible with the RCU list iterator used for the recorded neighbors. The initial approach to work around of this problem was to queue another work item per neighbor and then run this in a new context. Even when this solved the RCU vs might_sleep() conflict, it has a major problems: Nothing was stopping the work item in case it is not needed anymore - for example because one of the related interfaces was removed or the batman-adv module was unloaded - resulting in potential invalid memory accesses. Directly canceling the metric worker also has various problems: * cancel_work_sync for a to-be-deactivated interface is called with rtnl_lock held. But the code in the ELP metric worker also tries to use rtnl_lock() - which will never return in this case. This also means that cancel_work_sync would never return because it is waiting for the worker to finish. * iterating over the neighbor list for the to-be-deactivated interface is currently done using the RCU specific methods. Which means that it is possible to miss items when iterating over it without the associated spinlock - a behaviour which is acceptable for a periodic metric check but not for a cleanup routine (which must "stop" all still running workers) The better approch is to get rid of the per interface neighbor metric worker and handle everything in the interface worker. The original problems are solved by: * creating a list of neighbors which require new metric information inside the RCU protected context, gathering the metric according to the new list outside the RCU protected context * only use rcu_trylock inside metric gathering code to avoid a deadlock when the cancel_delayed_work_sync is called in the interface removal code (which is called with the rtnl_lock held)
AI-Powered Analysis
Technical Analysis
CVE-2025-21823 is a vulnerability identified in the Linux kernel's batman-adv (Better Approach To Mobile Adhoc Networking - advanced) module, which is responsible for mesh networking functionality. The issue arises from the handling of the ELP (Echo Location Protocol) metric worker, which calculates metric values for neighbors reachable over an interface. The original implementation used a per-neighbor work item queued to handle metric calculations, but this approach had significant flaws. Specifically, there was no mechanism to stop these work items if they became unnecessary, such as when an interface was removed or the batman-adv module was unloaded. This could lead to invalid memory accesses, causing potential kernel crashes or undefined behavior. Attempts to cancel these work items synchronously (using cancel_work_sync) led to deadlocks because the cancellation was performed while holding the rtnl_lock, which the worker also tried to acquire, causing a circular wait. Additionally, the iteration over neighbor lists used RCU (Read-Copy-Update) methods without proper locking, which is acceptable for periodic metric checks but unsafe for cleanup routines that must ensure all workers are stopped. The fix involves removing the per-interface neighbor metric worker and consolidating metric gathering into the interface worker. This approach creates a list of neighbors needing metric updates within an RCU-protected context and performs metric gathering outside this context. It also uses rcu_trylock to avoid deadlocks during interface removal when cancel_delayed_work_sync is called with rtnl_lock held. This redesign prevents invalid memory accesses, deadlocks, and ensures proper cleanup of worker threads during interface or module teardown.
Potential Impact
For European organizations, especially those relying on Linux-based infrastructure for networking, including mesh networks or embedded systems using batman-adv, this vulnerability could lead to system instability or denial of service due to kernel crashes or deadlocks. While there is no indication of remote code execution or privilege escalation, the potential for invalid memory access and deadlocks can disrupt critical network services, impacting availability. Organizations operating in sectors such as telecommunications, public safety, transportation, and industrial control systems that utilize mesh networking may experience outages or degraded performance. Additionally, embedded devices running vulnerable Linux kernels could be affected, potentially impacting IoT deployments common in smart city initiatives across Europe. The lack of known exploits in the wild reduces immediate risk, but the complexity of the issue and its kernel-level nature mean that unpatched systems remain vulnerable to stability issues, which could be exploited indirectly by attackers aiming to cause disruption.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue is in the batman-adv module, systems not using this module are not directly affected, so auditing and disabling unused kernel modules can reduce exposure. For systems requiring batman-adv, ensure kernel updates are applied promptly. Network administrators should monitor system logs for signs of kernel panics or deadlocks related to batman-adv. In environments where kernel updates are delayed, consider isolating affected systems or limiting interface removals and module unload operations to maintenance windows to reduce the risk of triggering the vulnerability. Additionally, testing kernel updates in staging environments before deployment can prevent unexpected downtime. For embedded devices, coordinate with vendors to obtain patched firmware. Finally, implement robust backup and recovery procedures to mitigate potential service disruptions caused by this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.775Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8911
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 9:28:04 AM
Last updated: 8/16/2025, 9:55:26 PM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.