CVE-2025-21986: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: switchdev: Convert blocking notification chain to a raw one A blocking notification chain uses a read-write semaphore to protect the integrity of the chain. The semaphore is acquired for writing when adding / removing notifiers to / from the chain and acquired for reading when traversing the chain and informing notifiers about an event. In case of the blocking switchdev notification chain, recursive notifications are possible which leads to the semaphore being acquired twice for reading and to lockdep warnings being generated [1]. Specifically, this can happen when the bridge driver processes a SWITCHDEV_BRPORT_UNOFFLOADED event which causes it to emit notifications about deferred events when calling switchdev_deferred_process(). Fix this by converting the notification chain to a raw notification chain in a similar fashion to the netdev notification chain. Protect the chain using the RTNL mutex by acquiring it when modifying the chain. Events are always informed under the RTNL mutex, but add an assertion in call_switchdev_blocking_notifiers() to make sure this is not violated in the future. Maintain the "blocking" prefix as events are always emitted from process context and listeners are allowed to block. [1]: WARNING: possible recursive locking detected 6.14.0-rc4-custom-g079270089484 #1 Not tainted -------------------------------------------- ip/52731 is trying to acquire lock: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 but task is already holding lock: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock((switchdev_blocking_notif_chain).rwsem); lock((switchdev_blocking_notif_chain).rwsem); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by ip/52731: #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0 #1: ffffffff8731f628 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0 #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 stack backtrace: ... ? __pfx_down_read+0x10/0x10 ? __pfx_mark_lock+0x10/0x10 ? __pfx_switchdev_port_attr_set_deferred+0x10/0x10 blocking_notifier_call_chain+0x58/0xa0 switchdev_port_attr_notify.constprop.0+0xb3/0x1b0 ? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10 ? mark_held_locks+0x94/0xe0 ? switchdev_deferred_process+0x11a/0x340 switchdev_port_attr_set_deferred+0x27/0xd0 switchdev_deferred_process+0x164/0x340 br_switchdev_port_unoffload+0xc8/0x100 [bridge] br_switchdev_blocking_event+0x29f/0x580 [bridge] notifier_call_chain+0xa2/0x440 blocking_notifier_call_chain+0x6e/0xa0 switchdev_bridge_port_unoffload+0xde/0x1a0 ...
AI Analysis
Technical Summary
CVE-2025-21986 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the switchdev notification chain implementation. The issue arises from the use of a blocking notification chain protected by a read-write semaphore (rwsem) that can be recursively acquired during certain event notifications. In particular, when the bridge driver processes the SWITCHDEV_BRPORT_UNOFFLOADED event, it triggers deferred event notifications via switchdev_deferred_process(), which can cause the semaphore protecting the notification chain to be acquired twice for reading by the same thread. This recursive locking leads to lockdep warnings and can result in a deadlock scenario, where the kernel thread is indefinitely blocked waiting on a lock it already holds. The root cause is that the blocking notification chain uses a read-write semaphore that does not support recursive locking, and the notification chain traversal can re-enter itself during event processing. The fix implemented converts the blocking notification chain to a raw notification chain, which does not use the read-write semaphore but instead relies on the RTNL (routing netlink) mutex to protect modifications and event emissions. This change prevents recursive locking by ensuring that all notifications and modifications are serialized under the RTNL mutex, which supports recursive locking semantics. The vulnerability can cause kernel deadlocks, leading to denial of service (DoS) conditions where affected systems become unresponsive or experience degraded network functionality. The issue affects multiple Linux kernel versions identified by specific commit hashes, indicating it is present in recent kernel releases prior to the fix. No known exploits are currently reported in the wild. The vulnerability does not have an assigned CVSS score but is published and acknowledged by the Linux project. The technical details include kernel stack traces illustrating the recursive locking and deadlock conditions, emphasizing the severity of the synchronization flaw in the networking code path.
Potential Impact
For European organizations, the impact of CVE-2025-21986 can be significant, especially for those relying on Linux-based infrastructure for critical networking functions such as data centers, cloud services, telecommunications, and enterprise networking equipment. The vulnerability can cause kernel deadlocks resulting in denial of service, which may disrupt network connectivity, degrade application availability, and impact business operations. Organizations operating Linux servers with bridge drivers and switchdev support enabled are particularly at risk. This includes environments using Linux for network virtualization, container networking (e.g., Kubernetes with Linux bridges), and software-defined networking (SDN) solutions. The deadlock may require system reboots to recover, leading to downtime and potential loss of productivity. While the vulnerability does not appear to allow privilege escalation or remote code execution, the availability impact alone can be critical for service providers and enterprises with stringent uptime requirements. Additionally, the complexity of the issue and the need for kernel-level patching may delay remediation in some environments, prolonging exposure. European organizations in sectors such as finance, healthcare, and critical infrastructure that depend on stable Linux networking stacks should prioritize addressing this vulnerability to maintain operational continuity.
Mitigation Recommendations
To mitigate CVE-2025-21986, European organizations should: 1) Apply the official Linux kernel patches that convert the switchdev notification chain from a blocking to a raw notification chain, ensuring the RTNL mutex protects all modifications and event emissions. This patch eliminates the recursive locking condition and prevents deadlocks. 2) Update Linux kernel versions to the fixed releases containing this patch as soon as they become available from trusted distributors or vendors. 3) In environments where immediate patching is not feasible, consider temporarily disabling or limiting the use of switchdev features or bridge offloading that trigger the vulnerable notification chain, if operationally acceptable. 4) Monitor kernel logs for lockdep warnings or deadlock symptoms related to switchdev or bridge drivers, enabling early detection of potential exploitation or system instability. 5) Conduct thorough testing of updated kernels in staging environments to verify stability and compatibility before deployment in production. 6) Engage with Linux distribution vendors and network equipment providers to confirm patch availability and coordinate timely updates. 7) Implement robust system monitoring and automated recovery mechanisms to minimize downtime in case of deadlocks. These targeted mitigations go beyond generic advice by focusing on the specific kernel subsystem and synchronization primitives involved.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-21986: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: switchdev: Convert blocking notification chain to a raw one A blocking notification chain uses a read-write semaphore to protect the integrity of the chain. The semaphore is acquired for writing when adding / removing notifiers to / from the chain and acquired for reading when traversing the chain and informing notifiers about an event. In case of the blocking switchdev notification chain, recursive notifications are possible which leads to the semaphore being acquired twice for reading and to lockdep warnings being generated [1]. Specifically, this can happen when the bridge driver processes a SWITCHDEV_BRPORT_UNOFFLOADED event which causes it to emit notifications about deferred events when calling switchdev_deferred_process(). Fix this by converting the notification chain to a raw notification chain in a similar fashion to the netdev notification chain. Protect the chain using the RTNL mutex by acquiring it when modifying the chain. Events are always informed under the RTNL mutex, but add an assertion in call_switchdev_blocking_notifiers() to make sure this is not violated in the future. Maintain the "blocking" prefix as events are always emitted from process context and listeners are allowed to block. [1]: WARNING: possible recursive locking detected 6.14.0-rc4-custom-g079270089484 #1 Not tainted -------------------------------------------- ip/52731 is trying to acquire lock: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 but task is already holding lock: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock((switchdev_blocking_notif_chain).rwsem); lock((switchdev_blocking_notif_chain).rwsem); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by ip/52731: #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0 #1: ffffffff8731f628 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0 #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 stack backtrace: ... ? __pfx_down_read+0x10/0x10 ? __pfx_mark_lock+0x10/0x10 ? __pfx_switchdev_port_attr_set_deferred+0x10/0x10 blocking_notifier_call_chain+0x58/0xa0 switchdev_port_attr_notify.constprop.0+0xb3/0x1b0 ? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10 ? mark_held_locks+0x94/0xe0 ? switchdev_deferred_process+0x11a/0x340 switchdev_port_attr_set_deferred+0x27/0xd0 switchdev_deferred_process+0x164/0x340 br_switchdev_port_unoffload+0xc8/0x100 [bridge] br_switchdev_blocking_event+0x29f/0x580 [bridge] notifier_call_chain+0xa2/0x440 blocking_notifier_call_chain+0x6e/0xa0 switchdev_bridge_port_unoffload+0xde/0x1a0 ...
AI-Powered Analysis
Technical Analysis
CVE-2025-21986 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the switchdev notification chain implementation. The issue arises from the use of a blocking notification chain protected by a read-write semaphore (rwsem) that can be recursively acquired during certain event notifications. In particular, when the bridge driver processes the SWITCHDEV_BRPORT_UNOFFLOADED event, it triggers deferred event notifications via switchdev_deferred_process(), which can cause the semaphore protecting the notification chain to be acquired twice for reading by the same thread. This recursive locking leads to lockdep warnings and can result in a deadlock scenario, where the kernel thread is indefinitely blocked waiting on a lock it already holds. The root cause is that the blocking notification chain uses a read-write semaphore that does not support recursive locking, and the notification chain traversal can re-enter itself during event processing. The fix implemented converts the blocking notification chain to a raw notification chain, which does not use the read-write semaphore but instead relies on the RTNL (routing netlink) mutex to protect modifications and event emissions. This change prevents recursive locking by ensuring that all notifications and modifications are serialized under the RTNL mutex, which supports recursive locking semantics. The vulnerability can cause kernel deadlocks, leading to denial of service (DoS) conditions where affected systems become unresponsive or experience degraded network functionality. The issue affects multiple Linux kernel versions identified by specific commit hashes, indicating it is present in recent kernel releases prior to the fix. No known exploits are currently reported in the wild. The vulnerability does not have an assigned CVSS score but is published and acknowledged by the Linux project. The technical details include kernel stack traces illustrating the recursive locking and deadlock conditions, emphasizing the severity of the synchronization flaw in the networking code path.
Potential Impact
For European organizations, the impact of CVE-2025-21986 can be significant, especially for those relying on Linux-based infrastructure for critical networking functions such as data centers, cloud services, telecommunications, and enterprise networking equipment. The vulnerability can cause kernel deadlocks resulting in denial of service, which may disrupt network connectivity, degrade application availability, and impact business operations. Organizations operating Linux servers with bridge drivers and switchdev support enabled are particularly at risk. This includes environments using Linux for network virtualization, container networking (e.g., Kubernetes with Linux bridges), and software-defined networking (SDN) solutions. The deadlock may require system reboots to recover, leading to downtime and potential loss of productivity. While the vulnerability does not appear to allow privilege escalation or remote code execution, the availability impact alone can be critical for service providers and enterprises with stringent uptime requirements. Additionally, the complexity of the issue and the need for kernel-level patching may delay remediation in some environments, prolonging exposure. European organizations in sectors such as finance, healthcare, and critical infrastructure that depend on stable Linux networking stacks should prioritize addressing this vulnerability to maintain operational continuity.
Mitigation Recommendations
To mitigate CVE-2025-21986, European organizations should: 1) Apply the official Linux kernel patches that convert the switchdev notification chain from a blocking to a raw notification chain, ensuring the RTNL mutex protects all modifications and event emissions. This patch eliminates the recursive locking condition and prevents deadlocks. 2) Update Linux kernel versions to the fixed releases containing this patch as soon as they become available from trusted distributors or vendors. 3) In environments where immediate patching is not feasible, consider temporarily disabling or limiting the use of switchdev features or bridge offloading that trigger the vulnerable notification chain, if operationally acceptable. 4) Monitor kernel logs for lockdep warnings or deadlock symptoms related to switchdev or bridge drivers, enabling early detection of potential exploitation or system instability. 5) Conduct thorough testing of updated kernels in staging environments to verify stability and compatibility before deployment in production. 6) Engage with Linux distribution vendors and network equipment providers to confirm patch availability and coordinate timely updates. 7) Implement robust system monitoring and automated recovery mechanisms to minimize downtime in case of deadlocks. These targeted mitigations go beyond generic advice by focusing on the specific kernel subsystem and synchronization primitives involved.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.800Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd3ca
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 11:54:31 PM
Last updated: 8/12/2025, 5:59:36 AM
Views: 11
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.