CVE-2025-21866: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] print_report+0xdc/0x504 [c2437610] [c050475c] kasan_report+0xf8/0x108 [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 [c24376c0] [c004c014] patch_instructions+0x15c/0x16c [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) MSR: 0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI> CR: 24004422 XER: 00000000 GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 NIP [005a1274] 0x5a1274 LR [006a3b3c] 0x6a3b3c --- interrupt: c00 The buggy address belongs to the virtual mapping at [f1000000, f1002000) created by: text_area_cpu_up+0x20/0x190 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 flags: 0x80000000(zone=2) raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 raw: 00000000 page dumped because: kasan: bad access detected Memory state around the buggy address: f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not initialised hence not supposed to be used yet. Powerpc text patching infrastructure allocates a virtual memory area using get_vm_area() and flags it as VM_ALLOC. But that flag is meant to be used for vmalloc() and vmalloc() allocated memory is not supposed to be used before a call to __vmalloc_node_range() which is never called for that area. That went undetected until commit e4137f08816b ("mm, kasan, kmsan: instrument copy_from/to_kernel_nofault") The area allocated by text_area_cpu_up() is not vmalloc memory, it is mapped directly on demand when needed by map_kernel_page(). There is no VM flag corresponding to such usage, so just pass no flag. That way the area will be unpoisonned and usable immediately.
AI Analysis
Technical Summary
CVE-2025-21866 is a vulnerability identified in the Linux kernel specifically affecting the PowerPC architecture's code patching infrastructure. The issue arises from improper handling of virtual memory allocation flags during text patching operations. The vulnerability was detected through a Kernel Address Sanitizer (KASAN) hit, which revealed an out-of-bounds memory write in the function copy_to_kernel_nofault. This function is used in the process of patching instructions in the kernel's Just-In-Time (JIT) compilation for Berkeley Packet Filter (BPF) programs. The root cause is that the virtual memory area allocated by the text_area_cpu_up() function was flagged as VM_ALLOC, a flag intended for vmalloc()-allocated memory. However, this memory area is not allocated via vmalloc() and does not undergo the usual initialization (__vmalloc_node_range()), leading to the area being marked as uninitialized (poisoned) by KASAN. Consequently, attempts to write to this memory area result in invalid memory access errors. The fix involves not setting the VM_ALLOC flag for this memory area, allowing it to be unpoisoned and usable immediately. This vulnerability is specific to the PowerPC architecture and affects Linux kernel versions around 6.13-rc6, particularly those used in PowerMac G4 systems. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2025-21866 is relatively limited due to its architecture-specific nature, affecting primarily PowerPC-based Linux systems. PowerPC architecture is less common in mainstream enterprise environments, which predominantly use x86_64 or ARM architectures. However, organizations that maintain legacy systems, embedded devices, or specialized hardware running PowerPC Linux kernels could be at risk. The vulnerability could lead to kernel crashes or instability due to invalid memory writes during kernel code patching, potentially causing denial of service (DoS). While there is no evidence of privilege escalation or remote code execution, the instability could disrupt critical services relying on affected systems. Additionally, the vulnerability affects kernel components involved in BPF JIT compilation, which is widely used for network filtering and security monitoring. Disruption in these components could impair network security functions. Given the lack of known exploits, the immediate risk is low, but unpatched systems remain vulnerable to potential future exploitation or accidental system failures.
Mitigation Recommendations
European organizations should take the following specific actions: 1) Identify and inventory all Linux systems running on PowerPC architecture, focusing on kernel versions around 6.13-rc6 and related releases. 2) Apply the official Linux kernel patch that removes the VM_ALLOC flag from the text patching memory area as soon as it becomes available in stable kernel releases. 3) For systems where immediate patching is not feasible, consider disabling BPF JIT compilation if it is not critical, to reduce the attack surface related to this vulnerability. 4) Implement kernel hardening and monitoring tools that can detect abnormal kernel behavior or crashes related to memory access violations. 5) Engage with hardware and software vendors to ensure that embedded or legacy devices receive timely updates. 6) Conduct thorough testing of kernel updates in controlled environments before deployment to avoid unintended disruptions. 7) Maintain robust backup and recovery procedures for affected systems to minimize downtime in case of crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2025-21866: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] print_report+0xdc/0x504 [c2437610] [c050475c] kasan_report+0xf8/0x108 [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 [c24376c0] [c004c014] patch_instructions+0x15c/0x16c [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) MSR: 0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI> CR: 24004422 XER: 00000000 GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 NIP [005a1274] 0x5a1274 LR [006a3b3c] 0x6a3b3c --- interrupt: c00 The buggy address belongs to the virtual mapping at [f1000000, f1002000) created by: text_area_cpu_up+0x20/0x190 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 flags: 0x80000000(zone=2) raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 raw: 00000000 page dumped because: kasan: bad access detected Memory state around the buggy address: f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not initialised hence not supposed to be used yet. Powerpc text patching infrastructure allocates a virtual memory area using get_vm_area() and flags it as VM_ALLOC. But that flag is meant to be used for vmalloc() and vmalloc() allocated memory is not supposed to be used before a call to __vmalloc_node_range() which is never called for that area. That went undetected until commit e4137f08816b ("mm, kasan, kmsan: instrument copy_from/to_kernel_nofault") The area allocated by text_area_cpu_up() is not vmalloc memory, it is mapped directly on demand when needed by map_kernel_page(). There is no VM flag corresponding to such usage, so just pass no flag. That way the area will be unpoisonned and usable immediately.
AI-Powered Analysis
Technical Analysis
CVE-2025-21866 is a vulnerability identified in the Linux kernel specifically affecting the PowerPC architecture's code patching infrastructure. The issue arises from improper handling of virtual memory allocation flags during text patching operations. The vulnerability was detected through a Kernel Address Sanitizer (KASAN) hit, which revealed an out-of-bounds memory write in the function copy_to_kernel_nofault. This function is used in the process of patching instructions in the kernel's Just-In-Time (JIT) compilation for Berkeley Packet Filter (BPF) programs. The root cause is that the virtual memory area allocated by the text_area_cpu_up() function was flagged as VM_ALLOC, a flag intended for vmalloc()-allocated memory. However, this memory area is not allocated via vmalloc() and does not undergo the usual initialization (__vmalloc_node_range()), leading to the area being marked as uninitialized (poisoned) by KASAN. Consequently, attempts to write to this memory area result in invalid memory access errors. The fix involves not setting the VM_ALLOC flag for this memory area, allowing it to be unpoisoned and usable immediately. This vulnerability is specific to the PowerPC architecture and affects Linux kernel versions around 6.13-rc6, particularly those used in PowerMac G4 systems. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2025-21866 is relatively limited due to its architecture-specific nature, affecting primarily PowerPC-based Linux systems. PowerPC architecture is less common in mainstream enterprise environments, which predominantly use x86_64 or ARM architectures. However, organizations that maintain legacy systems, embedded devices, or specialized hardware running PowerPC Linux kernels could be at risk. The vulnerability could lead to kernel crashes or instability due to invalid memory writes during kernel code patching, potentially causing denial of service (DoS). While there is no evidence of privilege escalation or remote code execution, the instability could disrupt critical services relying on affected systems. Additionally, the vulnerability affects kernel components involved in BPF JIT compilation, which is widely used for network filtering and security monitoring. Disruption in these components could impair network security functions. Given the lack of known exploits, the immediate risk is low, but unpatched systems remain vulnerable to potential future exploitation or accidental system failures.
Mitigation Recommendations
European organizations should take the following specific actions: 1) Identify and inventory all Linux systems running on PowerPC architecture, focusing on kernel versions around 6.13-rc6 and related releases. 2) Apply the official Linux kernel patch that removes the VM_ALLOC flag from the text patching memory area as soon as it becomes available in stable kernel releases. 3) For systems where immediate patching is not feasible, consider disabling BPF JIT compilation if it is not critical, to reduce the attack surface related to this vulnerability. 4) Implement kernel hardening and monitoring tools that can detect abnormal kernel behavior or crashes related to memory access violations. 5) Engage with hardware and software vendors to ensure that embedded or legacy devices receive timely updates. 6) Conduct thorough testing of kernel updates in controlled environments before deployment to avoid unintended disruptions. 7) Maintain robust backup and recovery procedures for affected systems to minimize downtime in case of crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.781Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8a56
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 10:09:49 AM
Last updated: 7/31/2025, 2:25:57 PM
Views: 12
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.