CVE-2025-21857 is a vulnerability identified in the Linux kernel's network scheduler component, specifically within the cls_api module responsible for handling classifier extensions. The issue arises from improper error handling in the function tcf_exts_miss_cookie_base_alloc(), which internally calls xa_alloc_cyclic(). This function can return the value 1 to indicate a successful allocation after wrapping, but the Linux kernel code erroneously treats this return value as an error. Consequently, tcf_exts_init_ex() sets the exts->actions pointer to NULL and returns 1 to its caller fl_change(). However, fl_change() interprets an error code of 1 as a success condition and proceeds to call tcf_exts_validate_ex(), which in turn calls tcf_action_init() with the NULL exts->actions pointer. This leads to a NULL pointer dereference and a kernel crash (BUG), causing a denial of service (DoS) condition. The vulnerability is triggered during network traffic control operations, particularly when modifying filter actions (fl_change). The kernel crash is demonstrated by the provided stack trace, showing the fault at tcf_action_init(). This vulnerability affects Linux kernel versions identified by the commit hash 80cd22c35c9001fe72bf614d29439de41933deca and likely other versions with similar code. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The root cause is a logic error in error code interpretation leading to a NULL pointer dereference in kernel space, which can be triggered remotely if an attacker can manipulate network traffic control filters, potentially causing system instability or denial of service.

For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those leveraging advanced network traffic control features such as cls_flower filters. The impact is mainly a denial of service through kernel crashes, which can disrupt critical network infrastructure, servers, and cloud environments. Organizations relying on Linux-based routers, firewalls, or network appliances could experience outages or degraded service. Given the kernel-level nature of the vulnerability, exploitation could lead to system instability requiring reboots, impacting availability of services. Confidentiality and integrity impacts are limited as the vulnerability does not directly allow code execution or privilege escalation. However, disruption of network services can indirectly affect business operations, compliance requirements, and incident response capabilities. European sectors with high dependency on Linux infrastructure, such as telecommunications, finance, and government, may face operational risks. The absence of known exploits reduces immediate threat but does not eliminate the risk of future exploitation once the vulnerability is publicly known.

To mitigate this vulnerability, European organizations should prioritize updating their Linux kernel to a version where this issue is fixed. Since the vulnerability stems from a specific kernel commit, applying the latest stable kernel patches from trusted Linux distributions (e.g., Red Hat, Debian, Ubuntu) is essential. Network administrators should audit and restrict the use of advanced traffic control filters, especially cls_flower and related modules, limiting who can modify these configurations. Implement strict access controls and monitoring on systems managing network traffic control to detect anomalous changes. Employ kernel crash monitoring and automated recovery mechanisms to minimize downtime. For environments where immediate patching is not feasible, consider isolating vulnerable systems from untrusted networks or limiting network traffic control functionality. Engage with Linux vendor security advisories for timely updates and backported patches. Additionally, conduct thorough testing of network control configurations post-patching to ensure stability and functionality.