CVE-2025-21868: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: allow small head cache usage with large MAX_SKB_FRAGS values Sabrina reported the following splat: WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0 Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe <0f> 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48 RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6 RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168 R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> gro_cells_init+0x1ba/0x270 xfrm_input_init+0x4b/0x2a0 xfrm_init+0x38/0x50 ip_rt_init+0x2d7/0x350 ip_init+0xf/0x20 inet_init+0x406/0x590 do_one_initcall+0x9d/0x2e0 do_initcalls+0x23b/0x280 kernel_init_freeable+0x445/0x490 kernel_init+0x20/0x1d0 ret_from_fork+0x46/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 584330 hardirqs last enabled at (584338): [<ffffffff8168bf87>] __up_console_sem+0x77/0xb0 hardirqs last disabled at (584345): [<ffffffff8168bf6c>] __up_console_sem+0x5c/0xb0 softirqs last enabled at (583242): [<ffffffff833ee96d>] netlink_insert+0x14d/0x470 softirqs last disabled at (583754): [<ffffffff8317c8cd>] netif_napi_add_weight_locked+0x77d/0xba0 on kernel built with MAX_SKB_FRAGS=45, where SKB_WITH_OVERHEAD(1024) is smaller than GRO_MAX_HEAD. Such built additionally contains the revert of the single page frag cache so that napi_get_frags() ends up using the page frag allocator, triggering the splat. Note that the underlying issue is independent from the mentioned revert; address it ensuring that the small head cache will fit either TCP and GRO allocation and updating napi_alloc_skb() and __netdev_alloc_skb() to select kmalloc() usage for any allocation fitting such cache.
AI Analysis
Technical Summary
CVE-2025-21868 is a vulnerability identified in the Linux kernel networking subsystem, specifically related to the handling of network buffer fragments (SKBs) and the small head cache usage when configured with large MAX_SKB_FRAGS values. The vulnerability arises when the kernel is built with a configuration where MAX_SKB_FRAGS is set to 45, causing the SKB_WITH_OVERHEAD(1024) size to be smaller than GRO_MAX_HEAD. This mismatch leads to improper handling of network packet fragments in the kernel's network stack, particularly in the functions netif_napi_add_weight_locked and napi_get_frags. The issue manifests as a kernel crash (splat) due to an invalid memory access or improper cache usage, triggered during network initialization routines such as gro_cells_init, xfrm_input_init, and ip_rt_init. The root cause is the small head cache not being sized correctly to accommodate both TCP and Generic Receive Offload (GRO) allocations, resulting in the fallback to the page fragment allocator that triggers the crash. The vulnerability is independent of a related revert of the single page frag cache but requires updates to napi_alloc_skb() and __netdev_alloc_skb() to ensure kmalloc() is used for allocations fitting the small head cache. This flaw affects Linux kernel versions built with the specified MAX_SKB_FRAGS configuration and can cause denial of service through kernel panics during network operations. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels compiled with the affected MAX_SKB_FRAGS configuration, which may include custom or specialized Linux distributions used in network infrastructure, servers, and embedded devices. The impact is mainly a denial of service (DoS) condition caused by kernel crashes during network packet processing, which can disrupt critical network services, degrade availability, and potentially lead to system reboots or downtime. Organizations relying on Linux-based networking equipment, cloud infrastructure, or data centers could experience service interruptions. Although the vulnerability does not directly lead to privilege escalation or data leakage, the resulting instability can affect business continuity and operational reliability. The absence of known exploits reduces immediate risk, but the complexity of the issue and its presence in core kernel networking code necessitate prompt attention to prevent exploitation or accidental triggering in production environments.
Mitigation Recommendations
Mitigation requires applying kernel patches that address the small head cache sizing issue and update the skb allocation functions (napi_alloc_skb() and __netdev_alloc_skb()) to use kmalloc() for appropriate allocations. Organizations should: 1) Identify Linux systems running kernels with MAX_SKB_FRAGS=45 or similar configurations; 2) Monitor vendor advisories and apply official Linux kernel updates or backported patches that fix CVE-2025-21868; 3) For custom kernel builds, adjust the MAX_SKB_FRAGS setting and ensure the small head cache is sized to accommodate TCP and GRO allocations correctly; 4) Test kernel updates in staging environments to verify stability; 5) Implement network segmentation and redundancy to minimize impact of potential DoS conditions; 6) Monitor system logs for kernel warnings or crashes related to netif_napi_add_weight_locked or napi_get_frags functions; 7) Engage with Linux distribution maintainers or vendors for guidance on patch availability and deployment timelines.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2025-21868: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: allow small head cache usage with large MAX_SKB_FRAGS values Sabrina reported the following splat: WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0 Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe <0f> 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48 RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6 RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168 R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> gro_cells_init+0x1ba/0x270 xfrm_input_init+0x4b/0x2a0 xfrm_init+0x38/0x50 ip_rt_init+0x2d7/0x350 ip_init+0xf/0x20 inet_init+0x406/0x590 do_one_initcall+0x9d/0x2e0 do_initcalls+0x23b/0x280 kernel_init_freeable+0x445/0x490 kernel_init+0x20/0x1d0 ret_from_fork+0x46/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 584330 hardirqs last enabled at (584338): [<ffffffff8168bf87>] __up_console_sem+0x77/0xb0 hardirqs last disabled at (584345): [<ffffffff8168bf6c>] __up_console_sem+0x5c/0xb0 softirqs last enabled at (583242): [<ffffffff833ee96d>] netlink_insert+0x14d/0x470 softirqs last disabled at (583754): [<ffffffff8317c8cd>] netif_napi_add_weight_locked+0x77d/0xba0 on kernel built with MAX_SKB_FRAGS=45, where SKB_WITH_OVERHEAD(1024) is smaller than GRO_MAX_HEAD. Such built additionally contains the revert of the single page frag cache so that napi_get_frags() ends up using the page frag allocator, triggering the splat. Note that the underlying issue is independent from the mentioned revert; address it ensuring that the small head cache will fit either TCP and GRO allocation and updating napi_alloc_skb() and __netdev_alloc_skb() to select kmalloc() usage for any allocation fitting such cache.
AI-Powered Analysis
Technical Analysis
CVE-2025-21868 is a vulnerability identified in the Linux kernel networking subsystem, specifically related to the handling of network buffer fragments (SKBs) and the small head cache usage when configured with large MAX_SKB_FRAGS values. The vulnerability arises when the kernel is built with a configuration where MAX_SKB_FRAGS is set to 45, causing the SKB_WITH_OVERHEAD(1024) size to be smaller than GRO_MAX_HEAD. This mismatch leads to improper handling of network packet fragments in the kernel's network stack, particularly in the functions netif_napi_add_weight_locked and napi_get_frags. The issue manifests as a kernel crash (splat) due to an invalid memory access or improper cache usage, triggered during network initialization routines such as gro_cells_init, xfrm_input_init, and ip_rt_init. The root cause is the small head cache not being sized correctly to accommodate both TCP and Generic Receive Offload (GRO) allocations, resulting in the fallback to the page fragment allocator that triggers the crash. The vulnerability is independent of a related revert of the single page frag cache but requires updates to napi_alloc_skb() and __netdev_alloc_skb() to ensure kmalloc() is used for allocations fitting the small head cache. This flaw affects Linux kernel versions built with the specified MAX_SKB_FRAGS configuration and can cause denial of service through kernel panics during network operations. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels compiled with the affected MAX_SKB_FRAGS configuration, which may include custom or specialized Linux distributions used in network infrastructure, servers, and embedded devices. The impact is mainly a denial of service (DoS) condition caused by kernel crashes during network packet processing, which can disrupt critical network services, degrade availability, and potentially lead to system reboots or downtime. Organizations relying on Linux-based networking equipment, cloud infrastructure, or data centers could experience service interruptions. Although the vulnerability does not directly lead to privilege escalation or data leakage, the resulting instability can affect business continuity and operational reliability. The absence of known exploits reduces immediate risk, but the complexity of the issue and its presence in core kernel networking code necessitate prompt attention to prevent exploitation or accidental triggering in production environments.
Mitigation Recommendations
Mitigation requires applying kernel patches that address the small head cache sizing issue and update the skb allocation functions (napi_alloc_skb() and __netdev_alloc_skb()) to use kmalloc() for appropriate allocations. Organizations should: 1) Identify Linux systems running kernels with MAX_SKB_FRAGS=45 or similar configurations; 2) Monitor vendor advisories and apply official Linux kernel updates or backported patches that fix CVE-2025-21868; 3) For custom kernel builds, adjust the MAX_SKB_FRAGS setting and ensure the small head cache is sized to accommodate TCP and GRO allocations correctly; 4) Test kernel updates in staging environments to verify stability; 5) Implement network segmentation and redundancy to minimize impact of potential DoS conditions; 6) Monitor system logs for kernel warnings or crashes related to netif_napi_add_weight_locked or napi_get_frags functions; 7) Engage with Linux distribution maintainers or vendors for guidance on patch availability and deployment timelines.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.781Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8a66
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 10:10:02 AM
Last updated: 8/17/2025, 11:55:17 AM
Views: 15
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.