CVE-2025-21867: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The cause of the issue was that eth_skb_pkt_type() accessed skb's data that didn't contain an Ethernet header. This occurs when bpf_prog_test_run_xdp() passes an invalid value as the user_data argument to bpf_test_init(). Fix this by returning an error when user_data is less than ETH_HLEN in bpf_test_init(). Additionally, remove the check for "if (user_size > size)" as it is unnecessary. [1] BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635 xdp_recv_frames net/bpf/test_run.c:272 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318 bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371 __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777 __do_sys_bpf kernel/bpf/syscall.c:5866 [inline] __se_sys_bpf kernel/bpf/syscall.c:5864 [inline] __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864 x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: free_pages_prepare mm/page_alloc.c:1056 [inline] free_unref_page+0x156/0x1320 mm/page_alloc.c:2657 __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838 bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline] ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235 bpf_map_free kernel/bpf/syscall.c:838 [inline] bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310 worker_thread+0xedf/0x1550 kernel/workqueue.c:3391 kthread+0x535/0x6b0 kernel/kthread.c:389 ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
AI Analysis
Technical Summary
CVE-2025-21867 is a high-severity use-after-free vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically within the eth_skb_pkt_type() function. This function is responsible for determining the packet type of Ethernet frames. The vulnerability arises because eth_skb_pkt_type() accesses the socket buffer's (skb) data assuming it contains a valid Ethernet header, but under certain conditions, it does not. This occurs when the bpf_prog_test_run_xdp() function passes an invalid user_data argument to bpf_test_init(), which leads to eth_skb_pkt_type() operating on freed memory. The root cause is that bpf_test_init() did not properly validate that user_data was at least the size of an Ethernet header (ETH_HLEN), allowing invalid values to trigger the use-after-free. The kernel memory sanitizer (KMSAN) detected this flaw, which can cause memory corruption, crashes, or potentially arbitrary code execution in kernel space. The fix involves returning an error if user_data is less than ETH_HLEN and removing an unnecessary size check. The vulnerability affects Linux kernel versions including commit be3d72a2896cb24090f268dce4aa8a304d40bc23 and likely others in the 6.x series. The CVSS 3.1 score is 7.8 (high), reflecting local attack vector with low complexity, requiring low privileges but no user interaction, and impacting confidentiality, integrity, and availability. No known exploits are reported in the wild yet. This vulnerability is categorized under CWE-416 (Use After Free).
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying heavily on Linux-based infrastructure such as servers, network appliances, cloud environments, and embedded systems. Exploitation could allow an attacker with local access and low privileges to escalate privileges, execute arbitrary code in kernel context, or cause denial of service through kernel crashes. This can lead to data breaches, service outages, and compromise of critical systems. Given the widespread use of Linux in European data centers, telecommunications, financial institutions, and government agencies, the impact could be severe. Additionally, environments using eBPF for network monitoring, security, or performance tuning are particularly exposed. The lack of required user interaction and the low complexity of exploitation increase the risk of rapid exploitation once a public exploit becomes available. The vulnerability could also affect virtualized environments and containers running Linux kernels, which are common in European cloud deployments.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernels to versions where this vulnerability is fixed. Specifically, update to kernel versions that include the fix for CVE-2025-21867 or apply vendor-provided patches promptly. In environments where immediate patching is not feasible, consider restricting access to systems running vulnerable kernels to trusted users only, as exploitation requires local privileges. Disable or limit the use of BPF test interfaces such as bpf_prog_test_run_xdp() if not needed, to reduce attack surface. Employ kernel hardening techniques like SELinux or AppArmor to restrict kernel module loading and BPF program execution. Monitor system logs and kernel messages for unusual activity related to BPF or skb processing. For cloud and container environments, ensure host kernels are patched and consider runtime security tools that detect anomalous kernel behavior. Finally, maintain an inventory of Linux kernel versions in use across the organization to identify vulnerable systems quickly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-21867: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The cause of the issue was that eth_skb_pkt_type() accessed skb's data that didn't contain an Ethernet header. This occurs when bpf_prog_test_run_xdp() passes an invalid value as the user_data argument to bpf_test_init(). Fix this by returning an error when user_data is less than ETH_HLEN in bpf_test_init(). Additionally, remove the check for "if (user_size > size)" as it is unnecessary. [1] BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635 xdp_recv_frames net/bpf/test_run.c:272 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318 bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371 __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777 __do_sys_bpf kernel/bpf/syscall.c:5866 [inline] __se_sys_bpf kernel/bpf/syscall.c:5864 [inline] __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864 x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: free_pages_prepare mm/page_alloc.c:1056 [inline] free_unref_page+0x156/0x1320 mm/page_alloc.c:2657 __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838 bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline] ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235 bpf_map_free kernel/bpf/syscall.c:838 [inline] bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310 worker_thread+0xedf/0x1550 kernel/workqueue.c:3391 kthread+0x535/0x6b0 kernel/kthread.c:389 ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
AI-Powered Analysis
Technical Analysis
CVE-2025-21867 is a high-severity use-after-free vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically within the eth_skb_pkt_type() function. This function is responsible for determining the packet type of Ethernet frames. The vulnerability arises because eth_skb_pkt_type() accesses the socket buffer's (skb) data assuming it contains a valid Ethernet header, but under certain conditions, it does not. This occurs when the bpf_prog_test_run_xdp() function passes an invalid user_data argument to bpf_test_init(), which leads to eth_skb_pkt_type() operating on freed memory. The root cause is that bpf_test_init() did not properly validate that user_data was at least the size of an Ethernet header (ETH_HLEN), allowing invalid values to trigger the use-after-free. The kernel memory sanitizer (KMSAN) detected this flaw, which can cause memory corruption, crashes, or potentially arbitrary code execution in kernel space. The fix involves returning an error if user_data is less than ETH_HLEN and removing an unnecessary size check. The vulnerability affects Linux kernel versions including commit be3d72a2896cb24090f268dce4aa8a304d40bc23 and likely others in the 6.x series. The CVSS 3.1 score is 7.8 (high), reflecting local attack vector with low complexity, requiring low privileges but no user interaction, and impacting confidentiality, integrity, and availability. No known exploits are reported in the wild yet. This vulnerability is categorized under CWE-416 (Use After Free).
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying heavily on Linux-based infrastructure such as servers, network appliances, cloud environments, and embedded systems. Exploitation could allow an attacker with local access and low privileges to escalate privileges, execute arbitrary code in kernel context, or cause denial of service through kernel crashes. This can lead to data breaches, service outages, and compromise of critical systems. Given the widespread use of Linux in European data centers, telecommunications, financial institutions, and government agencies, the impact could be severe. Additionally, environments using eBPF for network monitoring, security, or performance tuning are particularly exposed. The lack of required user interaction and the low complexity of exploitation increase the risk of rapid exploitation once a public exploit becomes available. The vulnerability could also affect virtualized environments and containers running Linux kernels, which are common in European cloud deployments.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernels to versions where this vulnerability is fixed. Specifically, update to kernel versions that include the fix for CVE-2025-21867 or apply vendor-provided patches promptly. In environments where immediate patching is not feasible, consider restricting access to systems running vulnerable kernels to trusted users only, as exploitation requires local privileges. Disable or limit the use of BPF test interfaces such as bpf_prog_test_run_xdp() if not needed, to reduce attack surface. Employ kernel hardening techniques like SELinux or AppArmor to restrict kernel module loading and BPF program execution. Monitor system logs and kernel messages for unusual activity related to BPF or skb processing. For cloud and container environments, ensure host kernels are patched and consider runtime security tools that detect anomalous kernel behavior. Finally, maintain an inventory of Linux kernel versions in use across the organization to identify vulnerable systems quickly.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.781Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8a5e
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 4:55:40 AM
Last updated: 8/15/2025, 6:42:09 PM
Views: 15
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.