CVE-2025-21865: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Brad Spengler reported the list_del() corruption splat in gtp_net_exit_batch_rtnl(). [0] Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl() to destroy devices in each netns as done in geneve and ip tunnels. However, this could trigger ->dellink() twice for the same device during ->exit_batch_rtnl(). Say we have two netns A & B and gtp device B that resides in netns B but whose UDP socket is in netns A. 1. cleanup_net() processes netns A and then B. 2. gtp_net_exit_batch_rtnl() finds the device B while iterating netns A's gn->gtp_dev_list and calls ->dellink(). [ device B is not yet unlinked from netns B as unregister_netdevice_many() has not been called. ] 3. gtp_net_exit_batch_rtnl() finds the device B while iterating netns B's for_each_netdev() and calls ->dellink(). gtp_dellink() cleans up the device's hash table, unlinks the dev from gn->gtp_dev_list, and calls unregister_netdevice_queue(). Basically, calling gtp_dellink() multiple times is fine unless CONFIG_DEBUG_LIST is enabled. Let's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and delegate the destruction to default_device_exit_batch() as done in bareudp. [0]: list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04) kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60 RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283 RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054 RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000 RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32 R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4 R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08 RBX: kasan shadow of 0x0 RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554 RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71 RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object] RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ] R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ] R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ] R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object] FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0 Stack: 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00 ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d Call Trace: <TASK> [<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inl ---truncated---
AI Analysis
Technical Summary
CVE-2025-21865 is a vulnerability in the Linux kernel's GPRS Tunneling Protocol (GTP) implementation, specifically within the gtp_net_exit_batch_rtnl() function. The issue arises from improper handling of device destruction across multiple network namespaces (netns). The vulnerability is triggered when the function attempts to destroy GTP devices associated with UDP sockets that span different network namespaces. The flawed logic causes the device's deletion routine (gtp_dellink()) to be called multiple times on the same device during the network namespace cleanup process. This leads to list corruption in the kernel's linked list management, particularly when CONFIG_DEBUG_LIST is enabled, causing kernel BUGs and system crashes. The root cause is that the for_each_netdev() loop in gtp_net_exit_batch_rtnl() redundantly calls the device deletion callback for devices that are linked to multiple netns, resulting in double unlinking and corruption of kernel data structures. The fix involves removing the redundant for_each_netdev() loop and delegating device destruction to the default_device_exit_batch() function, aligning with the approach used in other tunneling protocols like bareudp. This vulnerability can cause system instability, kernel panics, and denial of service due to corrupted kernel lists and invalid memory operations during network namespace teardown. It affects Linux kernel versions prior to the patch commit eb28fd76c0a0 and is particularly relevant for systems using GTP tunnels, commonly found in mobile network infrastructure and telecommunications equipment. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2025-21865 can be significant, especially for those operating telecommunications infrastructure, mobile network equipment, or cloud environments that utilize Linux-based systems with GTP tunneling. The vulnerability can lead to kernel crashes and denial of service, potentially disrupting critical network services and communications. This is particularly relevant for telecom operators, internet service providers, and enterprises relying on virtualized network functions or containers that use network namespaces extensively. The instability caused by kernel list corruption could also lead to broader system outages, affecting service availability and operational continuity. Given the widespread use of Linux in European data centers and telecom infrastructure, unpatched systems could face increased risk of service degradation or downtime. While no direct exploitation is known, the complexity and severity of kernel panics make this a high-impact vulnerability for environments requiring high availability and reliability. Additionally, the vulnerability could be leveraged as part of a multi-stage attack to escalate privileges or disrupt network functions if combined with other vulnerabilities.
Mitigation Recommendations
To mitigate CVE-2025-21865, European organizations should: 1) Immediately apply the official Linux kernel patches that address the vulnerability, specifically the commit eb28fd76c0a0 or later stable kernel releases containing the fix. 2) Conduct an inventory of systems running affected Linux kernel versions, focusing on those utilizing GTP tunnels or network namespaces, such as telecom infrastructure, mobile core network elements, and containerized environments. 3) Enable kernel debugging and monitoring tools to detect abnormal kernel list operations or unexpected device deletions during network namespace cleanup. 4) Implement strict change management and testing procedures for kernel updates in production environments to minimize downtime. 5) Consider isolating or segmenting network namespaces and GTP tunnel usage to limit the blast radius of potential kernel crashes. 6) Engage with Linux distribution vendors and telecom equipment providers to ensure timely updates and coordinated vulnerability response. 7) Monitor security advisories for any emerging exploits or related vulnerabilities in the GTP kernel module. These steps go beyond generic advice by focusing on the specific affected components, operational contexts, and proactive detection strategies.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Finland, Poland, Belgium
CVE-2025-21865: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Brad Spengler reported the list_del() corruption splat in gtp_net_exit_batch_rtnl(). [0] Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl() to destroy devices in each netns as done in geneve and ip tunnels. However, this could trigger ->dellink() twice for the same device during ->exit_batch_rtnl(). Say we have two netns A & B and gtp device B that resides in netns B but whose UDP socket is in netns A. 1. cleanup_net() processes netns A and then B. 2. gtp_net_exit_batch_rtnl() finds the device B while iterating netns A's gn->gtp_dev_list and calls ->dellink(). [ device B is not yet unlinked from netns B as unregister_netdevice_many() has not been called. ] 3. gtp_net_exit_batch_rtnl() finds the device B while iterating netns B's for_each_netdev() and calls ->dellink(). gtp_dellink() cleans up the device's hash table, unlinks the dev from gn->gtp_dev_list, and calls unregister_netdevice_queue(). Basically, calling gtp_dellink() multiple times is fine unless CONFIG_DEBUG_LIST is enabled. Let's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and delegate the destruction to default_device_exit_batch() as done in bareudp. [0]: list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04) kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60 RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283 RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054 RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000 RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32 R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4 R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08 RBX: kasan shadow of 0x0 RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554 RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71 RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object] RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ] R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ] R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ] R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object] FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0 Stack: 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00 ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d Call Trace: <TASK> [<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inl ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21865 is a vulnerability in the Linux kernel's GPRS Tunneling Protocol (GTP) implementation, specifically within the gtp_net_exit_batch_rtnl() function. The issue arises from improper handling of device destruction across multiple network namespaces (netns). The vulnerability is triggered when the function attempts to destroy GTP devices associated with UDP sockets that span different network namespaces. The flawed logic causes the device's deletion routine (gtp_dellink()) to be called multiple times on the same device during the network namespace cleanup process. This leads to list corruption in the kernel's linked list management, particularly when CONFIG_DEBUG_LIST is enabled, causing kernel BUGs and system crashes. The root cause is that the for_each_netdev() loop in gtp_net_exit_batch_rtnl() redundantly calls the device deletion callback for devices that are linked to multiple netns, resulting in double unlinking and corruption of kernel data structures. The fix involves removing the redundant for_each_netdev() loop and delegating device destruction to the default_device_exit_batch() function, aligning with the approach used in other tunneling protocols like bareudp. This vulnerability can cause system instability, kernel panics, and denial of service due to corrupted kernel lists and invalid memory operations during network namespace teardown. It affects Linux kernel versions prior to the patch commit eb28fd76c0a0 and is particularly relevant for systems using GTP tunnels, commonly found in mobile network infrastructure and telecommunications equipment. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2025-21865 can be significant, especially for those operating telecommunications infrastructure, mobile network equipment, or cloud environments that utilize Linux-based systems with GTP tunneling. The vulnerability can lead to kernel crashes and denial of service, potentially disrupting critical network services and communications. This is particularly relevant for telecom operators, internet service providers, and enterprises relying on virtualized network functions or containers that use network namespaces extensively. The instability caused by kernel list corruption could also lead to broader system outages, affecting service availability and operational continuity. Given the widespread use of Linux in European data centers and telecom infrastructure, unpatched systems could face increased risk of service degradation or downtime. While no direct exploitation is known, the complexity and severity of kernel panics make this a high-impact vulnerability for environments requiring high availability and reliability. Additionally, the vulnerability could be leveraged as part of a multi-stage attack to escalate privileges or disrupt network functions if combined with other vulnerabilities.
Mitigation Recommendations
To mitigate CVE-2025-21865, European organizations should: 1) Immediately apply the official Linux kernel patches that address the vulnerability, specifically the commit eb28fd76c0a0 or later stable kernel releases containing the fix. 2) Conduct an inventory of systems running affected Linux kernel versions, focusing on those utilizing GTP tunnels or network namespaces, such as telecom infrastructure, mobile core network elements, and containerized environments. 3) Enable kernel debugging and monitoring tools to detect abnormal kernel list operations or unexpected device deletions during network namespace cleanup. 4) Implement strict change management and testing procedures for kernel updates in production environments to minimize downtime. 5) Consider isolating or segmenting network namespaces and GTP tunnel usage to limit the blast radius of potential kernel crashes. 6) Engage with Linux distribution vendors and telecom equipment providers to ensure timely updates and coordinated vulnerability response. 7) Monitor security advisories for any emerging exploits or related vulnerabilities in the GTP kernel module. These steps go beyond generic advice by focusing on the specific affected components, operational contexts, and proactive detection strategies.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.781Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8a52
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 10:09:34 AM
Last updated: 8/11/2025, 2:45:47 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.