CVE-2025-21858: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). syzkaller reported a use-after-free in geneve_find_dev() [0] without repro. geneve_configure() links struct geneve_dev.next to net_generic(net, geneve_net_id)->geneve_list. The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally calls unregister_netdevice_queue() for each dev in the netns, and later the dev is freed. However, its geneve_dev.next is still linked to the backend UDP socket netns. Then, use-after-free will occur when another geneve dev is created in the netns. Let's call geneve_dellink() instead in geneve_destroy_tunnels(). [0]: BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline] BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441 CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 geneve_find_dev drivers/net/geneve.c:1295 [inline] geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 __sys_sendmsg net/socket.c:2654 [inline] __do_sys_sendmsg net/socket.c:2659 [inline] __se_sys_sendmsg net/socket.c:2657 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 Allocated by task 13247: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_n ---truncated---
AI Analysis
Technical Summary
CVE-2025-21858 is a high-severity use-after-free vulnerability in the Linux kernel's geneve network tunneling driver. The issue arises in the geneve_find_dev() function due to improper handling of linked lists that track geneve devices across network namespaces. Specifically, when a geneve device is destroyed, its linked list pointer (geneve_dev.next) remains linked to the backend UDP socket's network namespace list. If the network namespace associated with the device is dismantled and the device freed, subsequent creation of a new geneve device in the same namespace can trigger a use-after-free condition when geneve_find_dev() accesses the stale pointer. This vulnerability was reported by the syzkaller fuzzing tool and confirmed by kernel address sanitizer (KASAN) reports indicating slab-use-after-free errors. The root cause is that geneve_exit_batch_rtnl() calls unregister_netdevice_queue() to free devices but does not unlink geneve_dev.next from the geneve_list, leading to dangling pointers. The fix involves calling geneve_dellink() in geneve_destroy_tunnels() to properly unlink devices before freeing them. Exploitation requires local privileges with the ability to create or destroy geneve devices, which typically requires at least limited kernel privileges. The vulnerability impacts confidentiality, integrity, and availability as it can lead to kernel memory corruption, potentially enabling privilege escalation or denial of service. The CVSS 3.1 score is 7.8 (high), reflecting local attack vector, low complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. This vulnerability affects Linux kernel versions containing the vulnerable geneve driver code prior to the patch. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk particularly to environments running Linux servers or network infrastructure that utilize geneve tunnels for network virtualization or overlay networks. Geneve is commonly used in cloud, data center, and container orchestration platforms to encapsulate Layer 2 traffic over Layer 3 networks. Exploitation could allow attackers with limited local privileges to corrupt kernel memory, potentially leading to privilege escalation, unauthorized data access, or system crashes. This could disrupt critical services, compromise sensitive data, and impact business continuity. Organizations relying on Linux-based virtualized infrastructure, NFV (Network Function Virtualization), or SDN (Software Defined Networking) solutions that employ geneve tunnels are especially at risk. The vulnerability's exploitation could also affect multi-tenant cloud environments, increasing the risk of cross-tenant attacks. Given the high impact on confidentiality, integrity, and availability, European enterprises must prioritize patching to maintain compliance with data protection regulations such as GDPR and to safeguard critical infrastructure.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the geneve use-after-free vulnerability as soon as they become available. Monitor kernel updates from trusted sources and test patches in staging environments before production deployment. 2. Restrict access to network namespace and geneve device creation to trusted administrators only, minimizing the risk of local exploitation. 3. Implement kernel hardening features such as Kernel Address Sanitizer (KASAN) and Kernel Page Table Isolation (KPTI) where possible to detect and mitigate memory corruption issues. 4. Employ strict container and virtualization security policies to limit container escape or privilege escalation attempts via geneve devices. 5. Monitor system logs and kernel messages for unusual activity related to geneve devices or network namespace operations. 6. Use security tools that can detect anomalous kernel behavior or memory corruption attempts. 7. In environments where immediate patching is not possible, consider disabling geneve tunneling if it is not essential or replacing it with alternative tunneling protocols until patched.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-21858: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). syzkaller reported a use-after-free in geneve_find_dev() [0] without repro. geneve_configure() links struct geneve_dev.next to net_generic(net, geneve_net_id)->geneve_list. The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally calls unregister_netdevice_queue() for each dev in the netns, and later the dev is freed. However, its geneve_dev.next is still linked to the backend UDP socket netns. Then, use-after-free will occur when another geneve dev is created in the netns. Let's call geneve_dellink() instead in geneve_destroy_tunnels(). [0]: BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline] BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441 CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 geneve_find_dev drivers/net/geneve.c:1295 [inline] geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 __sys_sendmsg net/socket.c:2654 [inline] __do_sys_sendmsg net/socket.c:2659 [inline] __se_sys_sendmsg net/socket.c:2657 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 Allocated by task 13247: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_n ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21858 is a high-severity use-after-free vulnerability in the Linux kernel's geneve network tunneling driver. The issue arises in the geneve_find_dev() function due to improper handling of linked lists that track geneve devices across network namespaces. Specifically, when a geneve device is destroyed, its linked list pointer (geneve_dev.next) remains linked to the backend UDP socket's network namespace list. If the network namespace associated with the device is dismantled and the device freed, subsequent creation of a new geneve device in the same namespace can trigger a use-after-free condition when geneve_find_dev() accesses the stale pointer. This vulnerability was reported by the syzkaller fuzzing tool and confirmed by kernel address sanitizer (KASAN) reports indicating slab-use-after-free errors. The root cause is that geneve_exit_batch_rtnl() calls unregister_netdevice_queue() to free devices but does not unlink geneve_dev.next from the geneve_list, leading to dangling pointers. The fix involves calling geneve_dellink() in geneve_destroy_tunnels() to properly unlink devices before freeing them. Exploitation requires local privileges with the ability to create or destroy geneve devices, which typically requires at least limited kernel privileges. The vulnerability impacts confidentiality, integrity, and availability as it can lead to kernel memory corruption, potentially enabling privilege escalation or denial of service. The CVSS 3.1 score is 7.8 (high), reflecting local attack vector, low complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. This vulnerability affects Linux kernel versions containing the vulnerable geneve driver code prior to the patch. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk particularly to environments running Linux servers or network infrastructure that utilize geneve tunnels for network virtualization or overlay networks. Geneve is commonly used in cloud, data center, and container orchestration platforms to encapsulate Layer 2 traffic over Layer 3 networks. Exploitation could allow attackers with limited local privileges to corrupt kernel memory, potentially leading to privilege escalation, unauthorized data access, or system crashes. This could disrupt critical services, compromise sensitive data, and impact business continuity. Organizations relying on Linux-based virtualized infrastructure, NFV (Network Function Virtualization), or SDN (Software Defined Networking) solutions that employ geneve tunnels are especially at risk. The vulnerability's exploitation could also affect multi-tenant cloud environments, increasing the risk of cross-tenant attacks. Given the high impact on confidentiality, integrity, and availability, European enterprises must prioritize patching to maintain compliance with data protection regulations such as GDPR and to safeguard critical infrastructure.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the geneve use-after-free vulnerability as soon as they become available. Monitor kernel updates from trusted sources and test patches in staging environments before production deployment. 2. Restrict access to network namespace and geneve device creation to trusted administrators only, minimizing the risk of local exploitation. 3. Implement kernel hardening features such as Kernel Address Sanitizer (KASAN) and Kernel Page Table Isolation (KPTI) where possible to detect and mitigate memory corruption issues. 4. Employ strict container and virtualization security policies to limit container escape or privilege escalation attempts via geneve devices. 5. Monitor system logs and kernel messages for unusual activity related to geneve devices or network namespace operations. 6. Use security tools that can detect anomalous kernel behavior or memory corruption attempts. 7. In environments where immediate patching is not possible, consider disabling geneve tunneling if it is not essential or replacing it with alternative tunneling protocols until patched.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.780Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8a0b
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 4:55:04 AM
Last updated: 8/8/2025, 2:01:33 PM
Views: 18
Related Threats
CVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-55150: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-54992: CWE-611: Improper Restriction of XML External Entity Reference in telstra open-kilda
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.