CVE-2025-21869: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Disable KASAN report during patching via temporary mm Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13: [ 12.028126] ================================================================== [ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1 [ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3 [ 12.028408] Tainted: [T]=RANDSTRUCT [ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [ 12.028500] Call Trace: [ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable) [ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708 [ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300 [ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370 [ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40 [ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210 [ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590 [ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0 [ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0 [ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930 [ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280 [ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370 [ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00 [ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40 [ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610 [ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280 [ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8 [ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000 [ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty) [ 12.029735] MSR: 900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI> CR: 42004848 XER: 00000000 [ 12.029855] IRQMASK: 0 GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005 GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008 GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000 GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90 GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80 GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8 GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580 [ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030405] --- interrupt: 3000 [ 12.030444] ================================================================== Commit c28c15b6d28a ("powerpc/code-patching: Use temporary mm for Radix MMU") is inspired from x86 but unlike x86 is doesn't disable KASAN reports during patching. This wasn't a problem at the begining because __patch_mem() is not instrumented. Commit 465cabc97b42 ("powerpc/code-patching: introduce patch_instructions()") use copy_to_kernel_nofault() to copy several instructions at once. But when using temporary mm the destination is not regular kernel memory but a kind of kernel-like memory located in user address space. ---truncated---
AI Analysis
Technical Summary
CVE-2025-21869 is a vulnerability identified in the Linux kernel, specifically affecting the PowerPC architecture (notably POWER9 systems such as Talos II) running kernel version 6.13. The issue arises from the way kernel address sanitization (KASAN) interacts with the code patching mechanism on PowerPC. The vulnerability is rooted in the use of a temporary memory mapping (temporary mm) during code patching operations, which is intended to facilitate safe instruction patching. However, unlike the x86 implementation, the PowerPC code patching does not disable KASAN reports during this process. This leads to KASAN detecting invalid user-memory access when the kernel attempts to copy instructions using copy_to_kernel_nofault() into a memory region that is kernel-like but actually resides in user address space. The KASAN report indicates a write of size 8 at an address in user space by the systemd process (PID 1), which is a critical kernel process. The root cause is that the patch_instructions() function uses copy_to_kernel_nofault() to copy multiple instructions at once into this temporary mm, which is not standard kernel memory, triggering KASAN's user-memory-access detection. This can cause kernel panics or instability due to the kernel's memory safety checks being triggered incorrectly during legitimate patching operations. The vulnerability was fixed by disabling KASAN reports during patching via the temporary mm, aligning PowerPC behavior more closely with x86. While no known exploits are reported in the wild, the issue represents a kernel memory safety flaw that could be leveraged to cause denial of service or potentially escalate privileges if combined with other vulnerabilities. The vulnerability affects specific commits in the Linux kernel source and is relevant primarily to systems running PowerPC architecture kernels with the affected code patching implementations.
Potential Impact
For European organizations, the impact of CVE-2025-21869 is primarily on systems running Linux on PowerPC hardware, such as POWER9-based servers or specialized infrastructure like Talos II machines. These systems are often used in research, high-performance computing, or niche enterprise environments. The vulnerability can lead to kernel crashes or instability due to KASAN triggering on legitimate kernel operations, potentially causing denial of service. In critical infrastructure or data centers relying on such hardware, this could disrupt services or workloads. Although no direct remote exploitation is reported, the kernel panic could be triggered locally, affecting system availability. Additionally, if attackers gain local access, they might exploit this flaw in combination with other vulnerabilities to escalate privileges or bypass security controls. European organizations with deployments in sectors such as scientific research, telecommunications, or government that utilize PowerPC Linux systems should be aware of this risk. The vulnerability does not affect more common x86_64 Linux deployments, limiting its scope. However, the potential for service disruption and the complexity of patching kernel-level code in production environments means the impact on affected organizations could be significant if not addressed promptly.
Mitigation Recommendations
1. Apply the official Linux kernel patch that disables KASAN reports during code patching on PowerPC architectures as soon as it is available and tested. This patch aligns the PowerPC code patching behavior with the x86 implementation and prevents false KASAN hits. 2. For organizations using POWER9 or similar hardware, ensure kernel versions are updated to 6.13 or later with the fix included. 3. Implement rigorous testing of kernel updates in staging environments to detect any stability issues before production deployment. 4. Limit local access to affected systems to trusted administrators only, reducing the risk of local exploitation attempts. 5. Monitor system logs for KASAN reports or kernel panics related to copy_to_kernel_nofault or patch_instructions to detect attempts to trigger the vulnerability. 6. Consider disabling KASAN in production environments if it causes instability and if the risk profile allows, but only as a temporary measure until patches are applied. 7. Maintain up-to-date backups and recovery plans for critical systems running PowerPC Linux to minimize downtime in case of kernel crashes. 8. Engage with hardware and Linux distribution vendors to ensure timely delivery of patched kernel versions and security advisories.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Switzerland
CVE-2025-21869: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Disable KASAN report during patching via temporary mm Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13: [ 12.028126] ================================================================== [ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1 [ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3 [ 12.028408] Tainted: [T]=RANDSTRUCT [ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [ 12.028500] Call Trace: [ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable) [ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708 [ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300 [ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370 [ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40 [ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210 [ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590 [ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0 [ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0 [ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930 [ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280 [ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370 [ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00 [ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40 [ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610 [ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280 [ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8 [ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000 [ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty) [ 12.029735] MSR: 900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI> CR: 42004848 XER: 00000000 [ 12.029855] IRQMASK: 0 GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005 GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008 GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000 GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90 GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80 GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8 GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580 [ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030405] --- interrupt: 3000 [ 12.030444] ================================================================== Commit c28c15b6d28a ("powerpc/code-patching: Use temporary mm for Radix MMU") is inspired from x86 but unlike x86 is doesn't disable KASAN reports during patching. This wasn't a problem at the begining because __patch_mem() is not instrumented. Commit 465cabc97b42 ("powerpc/code-patching: introduce patch_instructions()") use copy_to_kernel_nofault() to copy several instructions at once. But when using temporary mm the destination is not regular kernel memory but a kind of kernel-like memory located in user address space. ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21869 is a vulnerability identified in the Linux kernel, specifically affecting the PowerPC architecture (notably POWER9 systems such as Talos II) running kernel version 6.13. The issue arises from the way kernel address sanitization (KASAN) interacts with the code patching mechanism on PowerPC. The vulnerability is rooted in the use of a temporary memory mapping (temporary mm) during code patching operations, which is intended to facilitate safe instruction patching. However, unlike the x86 implementation, the PowerPC code patching does not disable KASAN reports during this process. This leads to KASAN detecting invalid user-memory access when the kernel attempts to copy instructions using copy_to_kernel_nofault() into a memory region that is kernel-like but actually resides in user address space. The KASAN report indicates a write of size 8 at an address in user space by the systemd process (PID 1), which is a critical kernel process. The root cause is that the patch_instructions() function uses copy_to_kernel_nofault() to copy multiple instructions at once into this temporary mm, which is not standard kernel memory, triggering KASAN's user-memory-access detection. This can cause kernel panics or instability due to the kernel's memory safety checks being triggered incorrectly during legitimate patching operations. The vulnerability was fixed by disabling KASAN reports during patching via the temporary mm, aligning PowerPC behavior more closely with x86. While no known exploits are reported in the wild, the issue represents a kernel memory safety flaw that could be leveraged to cause denial of service or potentially escalate privileges if combined with other vulnerabilities. The vulnerability affects specific commits in the Linux kernel source and is relevant primarily to systems running PowerPC architecture kernels with the affected code patching implementations.
Potential Impact
For European organizations, the impact of CVE-2025-21869 is primarily on systems running Linux on PowerPC hardware, such as POWER9-based servers or specialized infrastructure like Talos II machines. These systems are often used in research, high-performance computing, or niche enterprise environments. The vulnerability can lead to kernel crashes or instability due to KASAN triggering on legitimate kernel operations, potentially causing denial of service. In critical infrastructure or data centers relying on such hardware, this could disrupt services or workloads. Although no direct remote exploitation is reported, the kernel panic could be triggered locally, affecting system availability. Additionally, if attackers gain local access, they might exploit this flaw in combination with other vulnerabilities to escalate privileges or bypass security controls. European organizations with deployments in sectors such as scientific research, telecommunications, or government that utilize PowerPC Linux systems should be aware of this risk. The vulnerability does not affect more common x86_64 Linux deployments, limiting its scope. However, the potential for service disruption and the complexity of patching kernel-level code in production environments means the impact on affected organizations could be significant if not addressed promptly.
Mitigation Recommendations
1. Apply the official Linux kernel patch that disables KASAN reports during code patching on PowerPC architectures as soon as it is available and tested. This patch aligns the PowerPC code patching behavior with the x86 implementation and prevents false KASAN hits. 2. For organizations using POWER9 or similar hardware, ensure kernel versions are updated to 6.13 or later with the fix included. 3. Implement rigorous testing of kernel updates in staging environments to detect any stability issues before production deployment. 4. Limit local access to affected systems to trusted administrators only, reducing the risk of local exploitation attempts. 5. Monitor system logs for KASAN reports or kernel panics related to copy_to_kernel_nofault or patch_instructions to detect attempts to trigger the vulnerability. 6. Consider disabling KASAN in production environments if it causes instability and if the risk profile allows, but only as a temporary measure until patches are applied. 7. Maintain up-to-date backups and recovery plans for critical systems running PowerPC Linux to minimize downtime in case of kernel crashes. 8. Engage with hardware and Linux distribution vendors to ensure timely delivery of patched kernel versions and security advisories.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.781Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8a6e
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 10:10:20 AM
Last updated: 8/8/2025, 11:27:25 PM
Views: 11
Related Threats
CVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumCVE-2025-8482: CWE-862 Missing Authorization in 10up Simple Local Avatars
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.