CVE-2025-21852: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: Add rx_skb of kfree_skb to raw_tp_null_args[]. Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0] in trace_kfree_skb if the prog does not check if rx_sk is NULL. Commit c53795d48ee8 ("net: add rx_sk to trace_kfree_skb") added rx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL. Let's add kfree_skb to raw_tp_null_args[] to let the BPF verifier validate such a prog and prevent the issue. Now we fail to load such a prog: libbpf: prog 'drop': -- BEGIN PROG LOAD LOG -- 0: R1=ctx() R10=fp0 ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21 0: (79) r3 = *(u64 *)(r1 +24) func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock' 1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1) ; bpf_printk("sk: %d, %d\n", sk, sk->__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24 1: (69) r4 = *(u16 *)(r3 +16) R3 invalid mem access 'trusted_ptr_or_null_' processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 -- END PROG LOAD LOG -- Note this fix requires commit 838a10bd2ebf ("bpf: Augment raw_tp arguments with PTR_MAYBE_NULL"). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000010 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP RIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x148/0x420 ? search_bpf_extables+0x5b/0x70 ? fixup_exception+0x27/0x2c0 ? exc_page_fault+0x75/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d bpf_trace_run4+0x68/0xd0 ? unix_stream_connect+0x1f4/0x6f0 sk_skb_reason_drop+0x90/0x120 unix_stream_connect+0x1f4/0x6f0 __sys_connect+0x7f/0xb0 __x64_sys_connect+0x14/0x20 do_syscall_64+0x47/0xc30 entry_SYSCALL_64_after_hwframe+0x4b/0x53
AI Analysis
Technical Summary
CVE-2025-21852 is a vulnerability identified in the Linux kernel related to the handling of BPF (Berkeley Packet Filter) programs, specifically those interacting with the tracepoint function trace_kfree_skb. The issue arises because the kernel added a new argument, rx_sk, to the trace_kfree_skb tracepoint, but this argument can be NULL. A BPF program that does not properly check for this NULL pointer can trigger a kernel NULL pointer dereference, leading to a kernel crash (BUG). The root cause is that the BPF verifier did not initially validate that rx_sk could be NULL, allowing unsafe programs to be loaded. The fix involved adding kfree_skb to raw_tp_null_args[], which informs the BPF verifier that certain arguments may be NULL, thus preventing unsafe BPF programs from loading. This fix requires a prior kernel commit that augmented raw_tp arguments with PTR_MAYBE_NULL annotations to improve verifier checks. The vulnerability can be triggered by a malicious or buggy BPF program that attempts to access the rx_sk pointer without null checks, causing a kernel panic or denial of service due to a NULL pointer dereference. The vulnerability affects Linux kernel versions containing the commit c53795d48ee8f385c6a9e394651e7ee914baaeba and earlier versions that do not have the fix. Exploitation requires the ability to load and run BPF programs, which typically requires elevated privileges or specific capabilities. There are no known exploits in the wild at this time. The vulnerability impacts kernel stability and availability but does not directly expose data confidentiality or integrity. The technical details include kernel oops logs and the BPF verifier error messages that prevent unsafe program loading after the patch.
Potential Impact
For European organizations, this vulnerability primarily poses a risk to the stability and availability of Linux-based systems that utilize BPF programs, such as network monitoring, security tools, or custom kernel tracing applications. Systems running vulnerable kernel versions could be subject to denial of service through kernel crashes if malicious or malformed BPF programs are loaded. This could disrupt critical infrastructure, cloud services, or enterprise environments relying on Linux servers. Given the widespread use of Linux in European data centers, telecommunications, and government systems, the impact could be significant if exploited. However, exploitation requires the ability to load BPF programs, which is typically restricted to privileged users, reducing the risk of remote exploitation. Still, insider threats or compromised administrative accounts could leverage this vulnerability to cause service outages. The vulnerability does not appear to allow privilege escalation or data leakage directly but could be used as part of a multi-stage attack to disrupt services or evade detection by crashing monitoring tools. Organizations in sectors with high Linux adoption, such as finance, manufacturing, and public sector, should be particularly vigilant.
Mitigation Recommendations
1. Update Linux kernels to versions that include the fix for CVE-2025-21852, ensuring that the commit c53795d48ee8f385c6a9e394651e7ee914baaeba or later is applied. 2. Restrict the ability to load and run BPF programs to trusted and minimal sets of users or processes. Use Linux capabilities (CAP_BPF, CAP_SYS_ADMIN) carefully and audit their usage. 3. Employ kernel lockdown features or security modules (e.g., SELinux, AppArmor) to limit BPF program loading and execution. 4. Monitor kernel logs and BPF verifier messages for attempts to load suspicious or malformed BPF programs. 5. For environments using custom BPF programs, review code to ensure proper null pointer checks on optional arguments like rx_sk. 6. Implement strict access controls and auditing on systems that allow BPF program loading to detect and prevent insider threats. 7. Consider deploying kernel live patching solutions if available to apply fixes without full system reboots, minimizing downtime. 8. Maintain an up-to-date inventory of Linux kernel versions in use across the organization to prioritize patching efforts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2025-21852: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: Add rx_skb of kfree_skb to raw_tp_null_args[]. Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0] in trace_kfree_skb if the prog does not check if rx_sk is NULL. Commit c53795d48ee8 ("net: add rx_sk to trace_kfree_skb") added rx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL. Let's add kfree_skb to raw_tp_null_args[] to let the BPF verifier validate such a prog and prevent the issue. Now we fail to load such a prog: libbpf: prog 'drop': -- BEGIN PROG LOAD LOG -- 0: R1=ctx() R10=fp0 ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21 0: (79) r3 = *(u64 *)(r1 +24) func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock' 1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1) ; bpf_printk("sk: %d, %d\n", sk, sk->__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24 1: (69) r4 = *(u16 *)(r3 +16) R3 invalid mem access 'trusted_ptr_or_null_' processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 -- END PROG LOAD LOG -- Note this fix requires commit 838a10bd2ebf ("bpf: Augment raw_tp arguments with PTR_MAYBE_NULL"). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000010 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP RIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x148/0x420 ? search_bpf_extables+0x5b/0x70 ? fixup_exception+0x27/0x2c0 ? exc_page_fault+0x75/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d bpf_trace_run4+0x68/0xd0 ? unix_stream_connect+0x1f4/0x6f0 sk_skb_reason_drop+0x90/0x120 unix_stream_connect+0x1f4/0x6f0 __sys_connect+0x7f/0xb0 __x64_sys_connect+0x14/0x20 do_syscall_64+0x47/0xc30 entry_SYSCALL_64_after_hwframe+0x4b/0x53
AI-Powered Analysis
Technical Analysis
CVE-2025-21852 is a vulnerability identified in the Linux kernel related to the handling of BPF (Berkeley Packet Filter) programs, specifically those interacting with the tracepoint function trace_kfree_skb. The issue arises because the kernel added a new argument, rx_sk, to the trace_kfree_skb tracepoint, but this argument can be NULL. A BPF program that does not properly check for this NULL pointer can trigger a kernel NULL pointer dereference, leading to a kernel crash (BUG). The root cause is that the BPF verifier did not initially validate that rx_sk could be NULL, allowing unsafe programs to be loaded. The fix involved adding kfree_skb to raw_tp_null_args[], which informs the BPF verifier that certain arguments may be NULL, thus preventing unsafe BPF programs from loading. This fix requires a prior kernel commit that augmented raw_tp arguments with PTR_MAYBE_NULL annotations to improve verifier checks. The vulnerability can be triggered by a malicious or buggy BPF program that attempts to access the rx_sk pointer without null checks, causing a kernel panic or denial of service due to a NULL pointer dereference. The vulnerability affects Linux kernel versions containing the commit c53795d48ee8f385c6a9e394651e7ee914baaeba and earlier versions that do not have the fix. Exploitation requires the ability to load and run BPF programs, which typically requires elevated privileges or specific capabilities. There are no known exploits in the wild at this time. The vulnerability impacts kernel stability and availability but does not directly expose data confidentiality or integrity. The technical details include kernel oops logs and the BPF verifier error messages that prevent unsafe program loading after the patch.
Potential Impact
For European organizations, this vulnerability primarily poses a risk to the stability and availability of Linux-based systems that utilize BPF programs, such as network monitoring, security tools, or custom kernel tracing applications. Systems running vulnerable kernel versions could be subject to denial of service through kernel crashes if malicious or malformed BPF programs are loaded. This could disrupt critical infrastructure, cloud services, or enterprise environments relying on Linux servers. Given the widespread use of Linux in European data centers, telecommunications, and government systems, the impact could be significant if exploited. However, exploitation requires the ability to load BPF programs, which is typically restricted to privileged users, reducing the risk of remote exploitation. Still, insider threats or compromised administrative accounts could leverage this vulnerability to cause service outages. The vulnerability does not appear to allow privilege escalation or data leakage directly but could be used as part of a multi-stage attack to disrupt services or evade detection by crashing monitoring tools. Organizations in sectors with high Linux adoption, such as finance, manufacturing, and public sector, should be particularly vigilant.
Mitigation Recommendations
1. Update Linux kernels to versions that include the fix for CVE-2025-21852, ensuring that the commit c53795d48ee8f385c6a9e394651e7ee914baaeba or later is applied. 2. Restrict the ability to load and run BPF programs to trusted and minimal sets of users or processes. Use Linux capabilities (CAP_BPF, CAP_SYS_ADMIN) carefully and audit their usage. 3. Employ kernel lockdown features or security modules (e.g., SELinux, AppArmor) to limit BPF program loading and execution. 4. Monitor kernel logs and BPF verifier messages for attempts to load suspicious or malformed BPF programs. 5. For environments using custom BPF programs, review code to ensure proper null pointer checks on optional arguments like rx_sk. 6. Implement strict access controls and auditing on systems that allow BPF program loading to detect and prevent insider threats. 7. Consider deploying kernel live patching solutions if available to apply fixes without full system reboots, minimizing downtime. 8. Maintain an up-to-date inventory of Linux kernel versions in use across the organization to prioritize patching efforts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.779Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe89f3
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 9:56:38 AM
Last updated: 8/1/2025, 4:40:47 PM
Views: 12
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.