CVE-2025-21953: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: mana: cleanup mana struct after debugfs_remove() When on a MANA VM hibernation is triggered, as part of hibernate_snapshot(), mana_gd_suspend() and mana_gd_resume() are called. If during this mana_gd_resume(), a failure occurs with HWC creation, mana_port_debugfs pointer does not get reinitialized and ends up pointing to older, cleaned-up dentry. Further in the hibernation path, as part of power_down(), mana_gd_shutdown() is triggered. This call, unaware of the failures in resume, tries to cleanup the already cleaned up mana_port_debugfs value and hits the following bug: [ 191.359296] mana 7870:00:00.0: Shutdown was called [ 191.359918] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 191.360584] #PF: supervisor write access in kernel mode [ 191.361125] #PF: error_code(0x0002) - not-present page [ 191.361727] PGD 1080ea067 P4D 0 [ 191.362172] Oops: Oops: 0002 [#1] SMP NOPTI [ 191.362606] CPU: 11 UID: 0 PID: 1674 Comm: bash Not tainted 6.14.0-rc5+ #2 [ 191.363292] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 191.364124] RIP: 0010:down_write+0x19/0x50 [ 191.364537] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb e8 de cd ff ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 16 65 48 8b 05 88 24 4c 6a 48 89 43 08 48 8b 5d [ 191.365867] RSP: 0000:ff45fbe0c1c037b8 EFLAGS: 00010246 [ 191.366350] RAX: 0000000000000000 RBX: 0000000000000098 RCX: ffffff8100000000 [ 191.366951] RDX: 0000000000000001 RSI: 0000000000000064 RDI: 0000000000000098 [ 191.367600] RBP: ff45fbe0c1c037c0 R08: 0000000000000000 R09: 0000000000000001 [ 191.368225] R10: ff45fbe0d2b01000 R11: 0000000000000008 R12: 0000000000000000 [ 191.368874] R13: 000000000000000b R14: ff43dc27509d67c0 R15: 0000000000000020 [ 191.369549] FS: 00007dbc5001e740(0000) GS:ff43dc663f380000(0000) knlGS:0000000000000000 [ 191.370213] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 191.370830] CR2: 0000000000000098 CR3: 0000000168e8e002 CR4: 0000000000b73ef0 [ 191.371557] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 191.372192] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 191.372906] Call Trace: [ 191.373262] <TASK> [ 191.373621] ? show_regs+0x64/0x70 [ 191.374040] ? __die+0x24/0x70 [ 191.374468] ? page_fault_oops+0x290/0x5b0 [ 191.374875] ? do_user_addr_fault+0x448/0x800 [ 191.375357] ? exc_page_fault+0x7a/0x160 [ 191.375971] ? asm_exc_page_fault+0x27/0x30 [ 191.376416] ? down_write+0x19/0x50 [ 191.376832] ? down_write+0x12/0x50 [ 191.377232] simple_recursive_removal+0x4a/0x2a0 [ 191.377679] ? __pfx_remove_one+0x10/0x10 [ 191.378088] debugfs_remove+0x44/0x70 [ 191.378530] mana_detach+0x17c/0x4f0 [ 191.378950] ? __flush_work+0x1e2/0x3b0 [ 191.379362] ? __cond_resched+0x1a/0x50 [ 191.379787] mana_remove+0xf2/0x1a0 [ 191.380193] mana_gd_shutdown+0x3b/0x70 [ 191.380642] pci_device_shutdown+0x3a/0x80 [ 191.381063] device_shutdown+0x13e/0x230 [ 191.381480] kernel_power_off+0x35/0x80 [ 191.381890] hibernate+0x3c6/0x470 [ 191.382312] state_store+0xcb/0xd0 [ 191.382734] kobj_attr_store+0x12/0x30 [ 191.383211] sysfs_kf_write+0x3e/0x50 [ 191.383640] kernfs_fop_write_iter+0x140/0x1d0 [ 191.384106] vfs_write+0x271/0x440 [ 191.384521] ksys_write+0x72/0xf0 [ 191.384924] __x64_sys_write+0x19/0x20 [ 191.385313] x64_sys_call+0x2b0/0x20b0 [ 191.385736] do_syscall_64+0x79/0x150 [ 191.386146] ? __mod_memcg_lruvec_state+0xe7/0x240 [ 191.386676] ? __lruvec_stat_mod_folio+0x79/0xb0 [ 191.387124] ? __pfx_lru_add+0x10/0x10 [ 191.387515] ? queued_spin_unlock+0x9/0x10 [ 191.387937] ? do_anonymous_page+0x33c/0xa00 [ 191.388374] ? __handle_mm_fault+0xcf3/0x1210 [ 191.388805] ? __count_memcg_events+0xbe/0x180 [ 191.389235] ? handle_mm_fault+0xae/0x300 [ 19 ---truncated---
AI Analysis
Technical Summary
CVE-2025-21953 is a vulnerability in the Linux kernel's MANA (Microsoft Azure Network Adapter) driver, specifically related to the handling of debugfs pointers during VM hibernation and resume operations. The flaw occurs when a MANA virtual machine triggers hibernation, invoking the hibernate_snapshot() function, which calls mana_gd_suspend() and mana_gd_resume(). If mana_gd_resume() fails during hardware context (HWC) creation, the mana_port_debugfs pointer is not properly reinitialized and continues to reference a previously cleaned-up dentry (directory entry). Subsequently, during the power_down() phase of hibernation, mana_gd_shutdown() attempts to clean up the already freed mana_port_debugfs pointer, leading to a NULL pointer dereference and kernel oops (crash). The kernel log excerpt shows a supervisor write access fault due to this dereference, causing a system crash. This vulnerability affects Linux kernel versions containing the MANA driver, particularly on Microsoft Hyper-V virtual machines using UEFI BIOS. The issue stems from improper error handling and pointer management in the MANA driver's suspend/resume and shutdown sequences during hibernation. While no known exploits are reported in the wild, the vulnerability can cause denial of service (DoS) by crashing the kernel on affected systems when hibernation is triggered under failure conditions in the MANA driver. The vulnerability does not appear to allow privilege escalation or code execution but results in system instability and potential downtime. No CVSS score is assigned yet, and no patch links are provided in the data, indicating that mitigation requires updating to a fixed kernel version once available or applying vendor patches.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service on Linux systems running on Microsoft Hyper-V virtual machines that utilize the MANA network adapter driver. Enterprises relying on Linux VMs in Hyper-V environments for critical workloads may experience unexpected kernel crashes during hibernation or power management operations, leading to service interruptions and potential data loss if unsaved state is lost. This can affect cloud service providers, data centers, and enterprises using hybrid cloud infrastructures with Hyper-V virtualization. The impact is more pronounced in environments where hibernation is used for power saving or VM snapshotting. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can disrupt business operations, especially in sectors requiring high uptime such as finance, healthcare, and manufacturing. Recovery from kernel crashes may require manual intervention or VM restarts, increasing operational overhead. Additionally, the lack of a current patch means organizations must be vigilant in monitoring and applying updates promptly once available.
Mitigation Recommendations
1. Avoid using hibernation or suspend/resume features on Linux VMs running on Hyper-V with the MANA driver until a patch is applied. 2. Monitor Linux kernel updates from trusted sources and apply patches addressing CVE-2025-21953 as soon as they are released. 3. If possible, disable or unload the MANA driver module on affected systems where it is not essential. 4. Implement robust VM backup and snapshot strategies to minimize data loss in case of crashes. 5. Use alternative network adapter drivers or virtualization platforms if hibernation functionality is critical and cannot be disabled. 6. Employ kernel crash dump and monitoring tools to detect and analyze crashes promptly. 7. Coordinate with Linux distribution vendors and Microsoft Hyper-V support to ensure timely receipt of fixes and guidance. 8. Test patches in staging environments before production deployment to avoid regressions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Belgium
CVE-2025-21953: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: mana: cleanup mana struct after debugfs_remove() When on a MANA VM hibernation is triggered, as part of hibernate_snapshot(), mana_gd_suspend() and mana_gd_resume() are called. If during this mana_gd_resume(), a failure occurs with HWC creation, mana_port_debugfs pointer does not get reinitialized and ends up pointing to older, cleaned-up dentry. Further in the hibernation path, as part of power_down(), mana_gd_shutdown() is triggered. This call, unaware of the failures in resume, tries to cleanup the already cleaned up mana_port_debugfs value and hits the following bug: [ 191.359296] mana 7870:00:00.0: Shutdown was called [ 191.359918] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 191.360584] #PF: supervisor write access in kernel mode [ 191.361125] #PF: error_code(0x0002) - not-present page [ 191.361727] PGD 1080ea067 P4D 0 [ 191.362172] Oops: Oops: 0002 [#1] SMP NOPTI [ 191.362606] CPU: 11 UID: 0 PID: 1674 Comm: bash Not tainted 6.14.0-rc5+ #2 [ 191.363292] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 191.364124] RIP: 0010:down_write+0x19/0x50 [ 191.364537] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb e8 de cd ff ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 16 65 48 8b 05 88 24 4c 6a 48 89 43 08 48 8b 5d [ 191.365867] RSP: 0000:ff45fbe0c1c037b8 EFLAGS: 00010246 [ 191.366350] RAX: 0000000000000000 RBX: 0000000000000098 RCX: ffffff8100000000 [ 191.366951] RDX: 0000000000000001 RSI: 0000000000000064 RDI: 0000000000000098 [ 191.367600] RBP: ff45fbe0c1c037c0 R08: 0000000000000000 R09: 0000000000000001 [ 191.368225] R10: ff45fbe0d2b01000 R11: 0000000000000008 R12: 0000000000000000 [ 191.368874] R13: 000000000000000b R14: ff43dc27509d67c0 R15: 0000000000000020 [ 191.369549] FS: 00007dbc5001e740(0000) GS:ff43dc663f380000(0000) knlGS:0000000000000000 [ 191.370213] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 191.370830] CR2: 0000000000000098 CR3: 0000000168e8e002 CR4: 0000000000b73ef0 [ 191.371557] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 191.372192] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 191.372906] Call Trace: [ 191.373262] <TASK> [ 191.373621] ? show_regs+0x64/0x70 [ 191.374040] ? __die+0x24/0x70 [ 191.374468] ? page_fault_oops+0x290/0x5b0 [ 191.374875] ? do_user_addr_fault+0x448/0x800 [ 191.375357] ? exc_page_fault+0x7a/0x160 [ 191.375971] ? asm_exc_page_fault+0x27/0x30 [ 191.376416] ? down_write+0x19/0x50 [ 191.376832] ? down_write+0x12/0x50 [ 191.377232] simple_recursive_removal+0x4a/0x2a0 [ 191.377679] ? __pfx_remove_one+0x10/0x10 [ 191.378088] debugfs_remove+0x44/0x70 [ 191.378530] mana_detach+0x17c/0x4f0 [ 191.378950] ? __flush_work+0x1e2/0x3b0 [ 191.379362] ? __cond_resched+0x1a/0x50 [ 191.379787] mana_remove+0xf2/0x1a0 [ 191.380193] mana_gd_shutdown+0x3b/0x70 [ 191.380642] pci_device_shutdown+0x3a/0x80 [ 191.381063] device_shutdown+0x13e/0x230 [ 191.381480] kernel_power_off+0x35/0x80 [ 191.381890] hibernate+0x3c6/0x470 [ 191.382312] state_store+0xcb/0xd0 [ 191.382734] kobj_attr_store+0x12/0x30 [ 191.383211] sysfs_kf_write+0x3e/0x50 [ 191.383640] kernfs_fop_write_iter+0x140/0x1d0 [ 191.384106] vfs_write+0x271/0x440 [ 191.384521] ksys_write+0x72/0xf0 [ 191.384924] __x64_sys_write+0x19/0x20 [ 191.385313] x64_sys_call+0x2b0/0x20b0 [ 191.385736] do_syscall_64+0x79/0x150 [ 191.386146] ? __mod_memcg_lruvec_state+0xe7/0x240 [ 191.386676] ? __lruvec_stat_mod_folio+0x79/0xb0 [ 191.387124] ? __pfx_lru_add+0x10/0x10 [ 191.387515] ? queued_spin_unlock+0x9/0x10 [ 191.387937] ? do_anonymous_page+0x33c/0xa00 [ 191.388374] ? __handle_mm_fault+0xcf3/0x1210 [ 191.388805] ? __count_memcg_events+0xbe/0x180 [ 191.389235] ? handle_mm_fault+0xae/0x300 [ 19 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21953 is a vulnerability in the Linux kernel's MANA (Microsoft Azure Network Adapter) driver, specifically related to the handling of debugfs pointers during VM hibernation and resume operations. The flaw occurs when a MANA virtual machine triggers hibernation, invoking the hibernate_snapshot() function, which calls mana_gd_suspend() and mana_gd_resume(). If mana_gd_resume() fails during hardware context (HWC) creation, the mana_port_debugfs pointer is not properly reinitialized and continues to reference a previously cleaned-up dentry (directory entry). Subsequently, during the power_down() phase of hibernation, mana_gd_shutdown() attempts to clean up the already freed mana_port_debugfs pointer, leading to a NULL pointer dereference and kernel oops (crash). The kernel log excerpt shows a supervisor write access fault due to this dereference, causing a system crash. This vulnerability affects Linux kernel versions containing the MANA driver, particularly on Microsoft Hyper-V virtual machines using UEFI BIOS. The issue stems from improper error handling and pointer management in the MANA driver's suspend/resume and shutdown sequences during hibernation. While no known exploits are reported in the wild, the vulnerability can cause denial of service (DoS) by crashing the kernel on affected systems when hibernation is triggered under failure conditions in the MANA driver. The vulnerability does not appear to allow privilege escalation or code execution but results in system instability and potential downtime. No CVSS score is assigned yet, and no patch links are provided in the data, indicating that mitigation requires updating to a fixed kernel version once available or applying vendor patches.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service on Linux systems running on Microsoft Hyper-V virtual machines that utilize the MANA network adapter driver. Enterprises relying on Linux VMs in Hyper-V environments for critical workloads may experience unexpected kernel crashes during hibernation or power management operations, leading to service interruptions and potential data loss if unsaved state is lost. This can affect cloud service providers, data centers, and enterprises using hybrid cloud infrastructures with Hyper-V virtualization. The impact is more pronounced in environments where hibernation is used for power saving or VM snapshotting. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can disrupt business operations, especially in sectors requiring high uptime such as finance, healthcare, and manufacturing. Recovery from kernel crashes may require manual intervention or VM restarts, increasing operational overhead. Additionally, the lack of a current patch means organizations must be vigilant in monitoring and applying updates promptly once available.
Mitigation Recommendations
1. Avoid using hibernation or suspend/resume features on Linux VMs running on Hyper-V with the MANA driver until a patch is applied. 2. Monitor Linux kernel updates from trusted sources and apply patches addressing CVE-2025-21953 as soon as they are released. 3. If possible, disable or unload the MANA driver module on affected systems where it is not essential. 4. Implement robust VM backup and snapshot strategies to minimize data loss in case of crashes. 5. Use alternative network adapter drivers or virtualization platforms if hibernation functionality is critical and cannot be disabled. 6. Employ kernel crash dump and monitoring tools to detect and analyze crashes promptly. 7. Coordinate with Linux distribution vendors and Microsoft Hyper-V support to ensure timely receipt of fixes and guidance. 8. Test patches in staging environments before production deployment to avoid regressions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.790Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8ce7
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 11:10:37 AM
Last updated: 8/18/2025, 11:29:09 PM
Views: 17
Related Threats
CVE-2025-41452: CWE-15: External Control of System or Configuration Setting in Danfoss AK-SM8xxA Series
MediumCVE-2025-41451: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Danfoss AK-SM8xxA Series
HighCVE-2025-43752: CWE-770 Allocation of Resources Without Limits or Throttling in Liferay Portal
MediumCVE-2025-43753: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
LowCVE-2025-51606: n/a
UnknownActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.