CVE-2025-21910: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: regulatory: improve invalid hints checking Syzbot keeps reporting an issue [1] that occurs when erroneous symbols sent from userspace get through into user_alpha2[] via regulatory_hint_user() call. Such invalid regulatory hints should be rejected. While a sanity check from commit 47caf685a685 ("cfg80211: regulatory: reject invalid hints") looks to be enough to deter these very cases, there is a way to get around it due to 2 reasons. 1) The way isalpha() works, symbols other than latin lower and upper letters may be used to determine a country/domain. For instance, greek letters will also be considered upper/lower letters and for such characters isalpha() will return true as well. However, ISO-3166-1 alpha2 codes should only hold latin characters. 2) While processing a user regulatory request, between reg_process_hint_user() and regulatory_hint_user() there happens to be a call to queue_regulatory_request() which modifies letters in request->alpha2[] with toupper(). This works fine for latin symbols, less so for weird letter characters from the second part of _ctype[]. Syzbot triggers a warning in is_user_regdom_saved() by first sending over an unexpected non-latin letter that gets malformed by toupper() into a character that ends up failing isalpha() check. Prevent this by enhancing is_an_alpha2() to ensure that incoming symbols are latin letters and nothing else. [1] Syzbot report: ------------[ cut here ]------------ Unexpected user alpha2: A� WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 Modules linked in: CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_power_efficient crda_timeout_work RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline] RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline] RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 ... Call Trace: <TASK> crda_timeout_work+0x27/0x50 net/wireless/reg.c:542 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>
AI Analysis
Technical Summary
CVE-2025-21910 is a vulnerability identified in the Linux kernel's wireless regulatory subsystem, specifically within the cfg80211 regulatory code responsible for handling country-specific wireless regulatory hints. The issue arises from insufficient validation of user-supplied regulatory hints, which are intended to specify country codes (alpha2 codes) to enforce wireless regulatory compliance. The vulnerability stems from the fact that the kernel's regulatory_hint_user() function accepts user input that is supposed to be limited to ISO-3166-1 alpha2 country codes, which are strictly composed of Latin alphabet letters. However, the existing validation relied on the isalpha() function, which incorrectly accepts non-Latin alphabetic characters such as Greek letters. Additionally, the conversion of these characters to uppercase using toupper() can produce malformed characters that fail subsequent checks, leading to inconsistent or unexpected states within the regulatory subsystem. This flaw allows malformed or invalid regulatory hints to bypass sanity checks and enter the user_alpha2[] array, potentially causing warnings, kernel log noise, or undefined behavior in regulatory domain handling. The Syzbot fuzzing tool has reported warnings and kernel tracebacks triggered by this malformed input, indicating that the kernel does not robustly reject invalid regulatory hints. Although no direct exploit or malicious payload is currently known, the vulnerability could be leveraged to cause denial of service conditions or potentially destabilize wireless regulatory enforcement mechanisms. The root cause is the acceptance of non-Latin characters due to the isalpha() function's behavior and the improper handling of character case conversion. The patch approach involves enhancing the is_an_alpha2() validation function to strictly enforce that only Latin letters are accepted as valid country codes, thereby preventing malformed regulatory hints from being processed. This fix improves the robustness of the regulatory subsystem against malformed user inputs. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems that use the cfg80211 wireless regulatory framework, which is common in many Linux distributions. The issue was publicly disclosed in April 2025, with no known exploits in the wild at the time of publication.
Potential Impact
For European organizations, this vulnerability primarily impacts Linux-based systems that utilize wireless networking with regulatory domain enforcement, including servers, desktops, embedded devices, and IoT equipment running affected Linux kernel versions. The potential impact includes: - Denial of Service (DoS): Malformed regulatory hints could cause kernel warnings or instability in the wireless regulatory subsystem, potentially leading to service interruptions or degraded wireless functionality. - Regulatory Compliance Issues: Incorrect handling of regulatory domains could result in devices operating outside of legal wireless parameters, risking regulatory violations. - Increased Attack Surface: Although no direct exploit is known, the vulnerability could be used as a vector for kernel-level attacks or privilege escalation if combined with other vulnerabilities. Given the widespread use of Linux in European IT infrastructure, especially in telecommunications, cloud services, and industrial control systems, the vulnerability could affect critical operations if exploited or triggered inadvertently. However, the lack of known active exploits and the requirement for user-supplied malformed input limits the immediate risk. Still, organizations relying on wireless Linux systems should consider this vulnerability seriously to maintain system stability and regulatory compliance.
Mitigation Recommendations
To mitigate CVE-2025-21910, European organizations should: 1. Apply Kernel Updates: Deploy the official Linux kernel patches that enhance validation of regulatory hints to accept only valid Latin alpha2 country codes. Ensure all Linux systems, especially those with wireless capabilities, are updated to patched kernel versions. 2. Harden Input Validation: For environments where user-space applications or scripts interact with wireless regulatory settings, implement strict input validation to prevent malformed or non-standard regulatory hints from being submitted. 3. Monitor Kernel Logs: Enable and monitor kernel logs for warnings related to regulatory domain processing (e.g., messages from net/wireless/reg.c) to detect attempts to exploit or trigger the vulnerability. 4. Limit User Privileges: Restrict access to interfaces that can submit regulatory hints to trusted administrators or processes to reduce the risk of malicious or accidental malformed input. 5. Test Wireless Functionality: After patching, conduct thorough testing of wireless regulatory domain enforcement to ensure compliance with local regulations and system stability. 6. Engage with Vendors: For embedded or third-party Linux-based devices, coordinate with vendors to ensure timely patching and firmware updates addressing this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2025-21910: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: regulatory: improve invalid hints checking Syzbot keeps reporting an issue [1] that occurs when erroneous symbols sent from userspace get through into user_alpha2[] via regulatory_hint_user() call. Such invalid regulatory hints should be rejected. While a sanity check from commit 47caf685a685 ("cfg80211: regulatory: reject invalid hints") looks to be enough to deter these very cases, there is a way to get around it due to 2 reasons. 1) The way isalpha() works, symbols other than latin lower and upper letters may be used to determine a country/domain. For instance, greek letters will also be considered upper/lower letters and for such characters isalpha() will return true as well. However, ISO-3166-1 alpha2 codes should only hold latin characters. 2) While processing a user regulatory request, between reg_process_hint_user() and regulatory_hint_user() there happens to be a call to queue_regulatory_request() which modifies letters in request->alpha2[] with toupper(). This works fine for latin symbols, less so for weird letter characters from the second part of _ctype[]. Syzbot triggers a warning in is_user_regdom_saved() by first sending over an unexpected non-latin letter that gets malformed by toupper() into a character that ends up failing isalpha() check. Prevent this by enhancing is_an_alpha2() to ensure that incoming symbols are latin letters and nothing else. [1] Syzbot report: ------------[ cut here ]------------ Unexpected user alpha2: A� WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 Modules linked in: CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_power_efficient crda_timeout_work RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline] RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline] RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 ... Call Trace: <TASK> crda_timeout_work+0x27/0x50 net/wireless/reg.c:542 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2025-21910 is a vulnerability identified in the Linux kernel's wireless regulatory subsystem, specifically within the cfg80211 regulatory code responsible for handling country-specific wireless regulatory hints. The issue arises from insufficient validation of user-supplied regulatory hints, which are intended to specify country codes (alpha2 codes) to enforce wireless regulatory compliance. The vulnerability stems from the fact that the kernel's regulatory_hint_user() function accepts user input that is supposed to be limited to ISO-3166-1 alpha2 country codes, which are strictly composed of Latin alphabet letters. However, the existing validation relied on the isalpha() function, which incorrectly accepts non-Latin alphabetic characters such as Greek letters. Additionally, the conversion of these characters to uppercase using toupper() can produce malformed characters that fail subsequent checks, leading to inconsistent or unexpected states within the regulatory subsystem. This flaw allows malformed or invalid regulatory hints to bypass sanity checks and enter the user_alpha2[] array, potentially causing warnings, kernel log noise, or undefined behavior in regulatory domain handling. The Syzbot fuzzing tool has reported warnings and kernel tracebacks triggered by this malformed input, indicating that the kernel does not robustly reject invalid regulatory hints. Although no direct exploit or malicious payload is currently known, the vulnerability could be leveraged to cause denial of service conditions or potentially destabilize wireless regulatory enforcement mechanisms. The root cause is the acceptance of non-Latin characters due to the isalpha() function's behavior and the improper handling of character case conversion. The patch approach involves enhancing the is_an_alpha2() validation function to strictly enforce that only Latin letters are accepted as valid country codes, thereby preventing malformed regulatory hints from being processed. This fix improves the robustness of the regulatory subsystem against malformed user inputs. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems that use the cfg80211 wireless regulatory framework, which is common in many Linux distributions. The issue was publicly disclosed in April 2025, with no known exploits in the wild at the time of publication.
Potential Impact
For European organizations, this vulnerability primarily impacts Linux-based systems that utilize wireless networking with regulatory domain enforcement, including servers, desktops, embedded devices, and IoT equipment running affected Linux kernel versions. The potential impact includes: - Denial of Service (DoS): Malformed regulatory hints could cause kernel warnings or instability in the wireless regulatory subsystem, potentially leading to service interruptions or degraded wireless functionality. - Regulatory Compliance Issues: Incorrect handling of regulatory domains could result in devices operating outside of legal wireless parameters, risking regulatory violations. - Increased Attack Surface: Although no direct exploit is known, the vulnerability could be used as a vector for kernel-level attacks or privilege escalation if combined with other vulnerabilities. Given the widespread use of Linux in European IT infrastructure, especially in telecommunications, cloud services, and industrial control systems, the vulnerability could affect critical operations if exploited or triggered inadvertently. However, the lack of known active exploits and the requirement for user-supplied malformed input limits the immediate risk. Still, organizations relying on wireless Linux systems should consider this vulnerability seriously to maintain system stability and regulatory compliance.
Mitigation Recommendations
To mitigate CVE-2025-21910, European organizations should: 1. Apply Kernel Updates: Deploy the official Linux kernel patches that enhance validation of regulatory hints to accept only valid Latin alpha2 country codes. Ensure all Linux systems, especially those with wireless capabilities, are updated to patched kernel versions. 2. Harden Input Validation: For environments where user-space applications or scripts interact with wireless regulatory settings, implement strict input validation to prevent malformed or non-standard regulatory hints from being submitted. 3. Monitor Kernel Logs: Enable and monitor kernel logs for warnings related to regulatory domain processing (e.g., messages from net/wireless/reg.c) to detect attempts to exploit or trigger the vulnerability. 4. Limit User Privileges: Restrict access to interfaces that can submit regulatory hints to trusted administrators or processes to reduce the risk of malicious or accidental malformed input. 5. Test Wireless Functionality: After patching, conduct thorough testing of wireless regulatory domain enforcement to ensure compliance with local regulations and system stability. 6. Engage with Vendors: For embedded or third-party Linux-based devices, coordinate with vendors to ensure timely patching and firmware updates addressing this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.786Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8b92
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 10:40:22 AM
Last updated: 8/11/2025, 4:56:34 AM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.