CVE-2025-22053: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: ibmveth: make veth_pool_store stop hanging v2: - Created a single error handling unlock and exit in veth_pool_store - Greatly expanded commit message with previous explanatory-only text Summary: Use rtnl_mutex to synchronize veth_pool_store with itself, ibmveth_close and ibmveth_open, preventing multiple calls in a row to napi_disable. Background: Two (or more) threads could call veth_pool_store through writing to /sys/devices/vio/30000002/pool*/*. You can do this easily with a little shell script. This causes a hang. I configured LOCKDEP, compiled ibmveth.c with DEBUG, and built a new kernel. I ran this test again and saw: Setting pool0/active to 0 Setting pool1/active to 1 [ 73.911067][ T4365] ibmveth 30000002 eth0: close starting Setting pool1/active to 1 Setting pool1/active to 0 [ 73.911367][ T4366] ibmveth 30000002 eth0: close starting [ 73.916056][ T4365] ibmveth 30000002 eth0: close complete [ 73.916064][ T4365] ibmveth 30000002 eth0: open starting [ 110.808564][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification. [ 230.808495][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification. [ 243.683786][ T123] INFO: task stress.sh:4365 blocked for more than 122 seconds. [ 243.683827][ T123] Not tainted 6.14.0-01103-g2df0c02dab82-dirty #8 [ 243.683833][ T123] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 243.683838][ T123] task:stress.sh state:D stack:28096 pid:4365 tgid:4365 ppid:4364 task_flags:0x400040 flags:0x00042000 [ 243.683852][ T123] Call Trace: [ 243.683857][ T123] [c00000000c38f690] [0000000000000001] 0x1 (unreliable) [ 243.683868][ T123] [c00000000c38f840] [c00000000001f908] __switch_to+0x318/0x4e0 [ 243.683878][ T123] [c00000000c38f8a0] [c000000001549a70] __schedule+0x500/0x12a0 [ 243.683888][ T123] [c00000000c38f9a0] [c00000000154a878] schedule+0x68/0x210 [ 243.683896][ T123] [c00000000c38f9d0] [c00000000154ac80] schedule_preempt_disabled+0x30/0x50 [ 243.683904][ T123] [c00000000c38fa00] [c00000000154dbb0] __mutex_lock+0x730/0x10f0 [ 243.683913][ T123] [c00000000c38fb10] [c000000001154d40] napi_enable+0x30/0x60 [ 243.683921][ T123] [c00000000c38fb40] [c000000000f4ae94] ibmveth_open+0x68/0x5dc [ 243.683928][ T123] [c00000000c38fbe0] [c000000000f4aa20] veth_pool_store+0x220/0x270 [ 243.683936][ T123] [c00000000c38fc70] [c000000000826278] sysfs_kf_write+0x68/0xb0 [ 243.683944][ T123] [c00000000c38fcb0] [c0000000008240b8] kernfs_fop_write_iter+0x198/0x2d0 [ 243.683951][ T123] [c00000000c38fd00] [c00000000071b9ac] vfs_write+0x34c/0x650 [ 243.683958][ T123] [c00000000c38fdc0] [c00000000071bea8] ksys_write+0x88/0x150 [ 243.683966][ T123] [c00000000c38fe10] [c0000000000317f4] system_call_exception+0x124/0x340 [ 243.683973][ T123] [c00000000c38fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec ... [ 243.684087][ T123] Showing all locks held in the system: [ 243.684095][ T123] 1 lock held by khungtaskd/123: [ 243.684099][ T123] #0: c00000000278e370 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x50/0x248 [ 243.684114][ T123] 4 locks held by stress.sh/4365: [ 243.684119][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150 [ 243.684132][ T123] #1: c000000041aea888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x154/0x2d0 [ 243.684143][ T123] #2: c0000000366fb9a8 (kn->active#64){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x160/0x2d0 [ 243.684155][ T123] #3: c000000035ff4cb8 (&dev->lock){+.+.}-{3:3}, at: napi_enable+0x30/0x60 [ 243.684166][ T123] 5 locks held by stress.sh/4366: [ 243.684170][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150 [ 243. ---truncated---
AI Analysis
Technical Summary
CVE-2025-22053 is a vulnerability identified in the Linux kernel's ibmveth network driver, specifically within the veth_pool_store function. The issue arises due to improper synchronization when multiple threads concurrently invoke veth_pool_store via writes to sysfs entries under /sys/devices/vio/30000002/pool*/*. This can lead to a deadlock or system hang because the function does not adequately serialize access to shared resources, resulting in multiple calls to napi_disable that cause the kernel to hang. The root cause is the absence of proper locking mechanisms around critical sections in veth_pool_store, ibmveth_close, and ibmveth_open functions. The fix involves using the rtnl_mutex to synchronize these calls, preventing concurrent execution and thus eliminating the hang condition. The vulnerability can be triggered by a low-privileged user or script that writes to the affected sysfs interface, making exploitation relatively straightforward in environments where such access is permitted. The vulnerability does not appear to allow privilege escalation or arbitrary code execution but can cause denial of service (DoS) by hanging the kernel thread responsible for network interface management. The issue was identified and fixed in Linux kernel version 6.14.0-01103 and involves detailed kernel debugging and lockdep analysis to confirm the deadlock scenario. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service on Linux systems running the affected ibmveth driver, which is typically used in IBM Power Systems virtualized environments. Organizations relying on these systems for critical network functions could experience service interruptions or degraded performance if the vulnerability is exploited. This could impact data centers, cloud service providers, and enterprises using IBM Power hardware with Linux, potentially disrupting business operations and network connectivity. While the vulnerability does not directly compromise data confidentiality or integrity, the availability impact could affect services dependent on the affected network interfaces. In regulated industries such as finance, healthcare, and critical infrastructure within Europe, even temporary outages can have significant operational and compliance consequences. Additionally, the ease of triggering the hang via simple shell scripts increases the risk of accidental or malicious exploitation by insiders or automated attack tools. However, since the vulnerability requires write access to specific sysfs entries, the attack surface is somewhat limited to environments where such permissions are granted.
Mitigation Recommendations
European organizations should apply the Linux kernel patch that introduces rtnl_mutex locking around veth_pool_store, ibmveth_close, and ibmveth_open functions as soon as it becomes available in their Linux distribution updates. Until patched, administrators should restrict write permissions to the sysfs path /sys/devices/vio/30000002/pool*/* to trusted users only, effectively preventing unprivileged users from triggering the vulnerability. Monitoring and alerting on unusual writes to these sysfs entries can help detect attempted exploitation. For environments using IBM Power Systems with Linux, consider isolating vulnerable hosts from untrusted networks and limiting access to management interfaces. Additionally, implementing kernel lockdown features and mandatory access controls (e.g., SELinux, AppArmor) can reduce the risk of unauthorized sysfs writes. Regularly auditing kernel versions and applying security updates promptly will minimize exposure. Finally, organizations should test kernel updates in staging environments to ensure stability and compatibility before deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain
CVE-2025-22053: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: ibmveth: make veth_pool_store stop hanging v2: - Created a single error handling unlock and exit in veth_pool_store - Greatly expanded commit message with previous explanatory-only text Summary: Use rtnl_mutex to synchronize veth_pool_store with itself, ibmveth_close and ibmveth_open, preventing multiple calls in a row to napi_disable. Background: Two (or more) threads could call veth_pool_store through writing to /sys/devices/vio/30000002/pool*/*. You can do this easily with a little shell script. This causes a hang. I configured LOCKDEP, compiled ibmveth.c with DEBUG, and built a new kernel. I ran this test again and saw: Setting pool0/active to 0 Setting pool1/active to 1 [ 73.911067][ T4365] ibmveth 30000002 eth0: close starting Setting pool1/active to 1 Setting pool1/active to 0 [ 73.911367][ T4366] ibmveth 30000002 eth0: close starting [ 73.916056][ T4365] ibmveth 30000002 eth0: close complete [ 73.916064][ T4365] ibmveth 30000002 eth0: open starting [ 110.808564][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification. [ 230.808495][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification. [ 243.683786][ T123] INFO: task stress.sh:4365 blocked for more than 122 seconds. [ 243.683827][ T123] Not tainted 6.14.0-01103-g2df0c02dab82-dirty #8 [ 243.683833][ T123] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 243.683838][ T123] task:stress.sh state:D stack:28096 pid:4365 tgid:4365 ppid:4364 task_flags:0x400040 flags:0x00042000 [ 243.683852][ T123] Call Trace: [ 243.683857][ T123] [c00000000c38f690] [0000000000000001] 0x1 (unreliable) [ 243.683868][ T123] [c00000000c38f840] [c00000000001f908] __switch_to+0x318/0x4e0 [ 243.683878][ T123] [c00000000c38f8a0] [c000000001549a70] __schedule+0x500/0x12a0 [ 243.683888][ T123] [c00000000c38f9a0] [c00000000154a878] schedule+0x68/0x210 [ 243.683896][ T123] [c00000000c38f9d0] [c00000000154ac80] schedule_preempt_disabled+0x30/0x50 [ 243.683904][ T123] [c00000000c38fa00] [c00000000154dbb0] __mutex_lock+0x730/0x10f0 [ 243.683913][ T123] [c00000000c38fb10] [c000000001154d40] napi_enable+0x30/0x60 [ 243.683921][ T123] [c00000000c38fb40] [c000000000f4ae94] ibmveth_open+0x68/0x5dc [ 243.683928][ T123] [c00000000c38fbe0] [c000000000f4aa20] veth_pool_store+0x220/0x270 [ 243.683936][ T123] [c00000000c38fc70] [c000000000826278] sysfs_kf_write+0x68/0xb0 [ 243.683944][ T123] [c00000000c38fcb0] [c0000000008240b8] kernfs_fop_write_iter+0x198/0x2d0 [ 243.683951][ T123] [c00000000c38fd00] [c00000000071b9ac] vfs_write+0x34c/0x650 [ 243.683958][ T123] [c00000000c38fdc0] [c00000000071bea8] ksys_write+0x88/0x150 [ 243.683966][ T123] [c00000000c38fe10] [c0000000000317f4] system_call_exception+0x124/0x340 [ 243.683973][ T123] [c00000000c38fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec ... [ 243.684087][ T123] Showing all locks held in the system: [ 243.684095][ T123] 1 lock held by khungtaskd/123: [ 243.684099][ T123] #0: c00000000278e370 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x50/0x248 [ 243.684114][ T123] 4 locks held by stress.sh/4365: [ 243.684119][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150 [ 243.684132][ T123] #1: c000000041aea888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x154/0x2d0 [ 243.684143][ T123] #2: c0000000366fb9a8 (kn->active#64){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x160/0x2d0 [ 243.684155][ T123] #3: c000000035ff4cb8 (&dev->lock){+.+.}-{3:3}, at: napi_enable+0x30/0x60 [ 243.684166][ T123] 5 locks held by stress.sh/4366: [ 243.684170][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150 [ 243. ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-22053 is a vulnerability identified in the Linux kernel's ibmveth network driver, specifically within the veth_pool_store function. The issue arises due to improper synchronization when multiple threads concurrently invoke veth_pool_store via writes to sysfs entries under /sys/devices/vio/30000002/pool*/*. This can lead to a deadlock or system hang because the function does not adequately serialize access to shared resources, resulting in multiple calls to napi_disable that cause the kernel to hang. The root cause is the absence of proper locking mechanisms around critical sections in veth_pool_store, ibmveth_close, and ibmveth_open functions. The fix involves using the rtnl_mutex to synchronize these calls, preventing concurrent execution and thus eliminating the hang condition. The vulnerability can be triggered by a low-privileged user or script that writes to the affected sysfs interface, making exploitation relatively straightforward in environments where such access is permitted. The vulnerability does not appear to allow privilege escalation or arbitrary code execution but can cause denial of service (DoS) by hanging the kernel thread responsible for network interface management. The issue was identified and fixed in Linux kernel version 6.14.0-01103 and involves detailed kernel debugging and lockdep analysis to confirm the deadlock scenario. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service on Linux systems running the affected ibmveth driver, which is typically used in IBM Power Systems virtualized environments. Organizations relying on these systems for critical network functions could experience service interruptions or degraded performance if the vulnerability is exploited. This could impact data centers, cloud service providers, and enterprises using IBM Power hardware with Linux, potentially disrupting business operations and network connectivity. While the vulnerability does not directly compromise data confidentiality or integrity, the availability impact could affect services dependent on the affected network interfaces. In regulated industries such as finance, healthcare, and critical infrastructure within Europe, even temporary outages can have significant operational and compliance consequences. Additionally, the ease of triggering the hang via simple shell scripts increases the risk of accidental or malicious exploitation by insiders or automated attack tools. However, since the vulnerability requires write access to specific sysfs entries, the attack surface is somewhat limited to environments where such permissions are granted.
Mitigation Recommendations
European organizations should apply the Linux kernel patch that introduces rtnl_mutex locking around veth_pool_store, ibmveth_close, and ibmveth_open functions as soon as it becomes available in their Linux distribution updates. Until patched, administrators should restrict write permissions to the sysfs path /sys/devices/vio/30000002/pool*/* to trusted users only, effectively preventing unprivileged users from triggering the vulnerability. Monitoring and alerting on unusual writes to these sysfs entries can help detect attempted exploitation. For environments using IBM Power Systems with Linux, consider isolating vulnerable hosts from untrusted networks and limiting access to management interfaces. Additionally, implementing kernel lockdown features and mandatory access controls (e.g., SELinux, AppArmor) can reduce the risk of unauthorized sysfs writes. Regularly auditing kernel versions and applying security updates promptly will minimize exposure. Finally, organizations should test kernel updates in staging environments to ensure stability and compatibility before deployment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.811Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7f57
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 8:40:22 PM
Last updated: 8/11/2025, 9:31:47 PM
Views: 12
Related Threats
CVE-2025-8452: CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory in Brother Industries, Ltd HL-L8260CDN
MediumCVE-2025-5468: CWE-61: UNIX Symbolic Link in Ivanti Connect Secure
MediumCVE-2025-5466: CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') in Ivanti Connect Secure
MediumCVE-2025-5456: CWE-125 Out-of-bounds Read in Ivanti Connect Secure
HighCVE-2025-3831: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. in checkpoint Check Point Harmony SASE
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.