CVE-2025-22085: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix use-after-free when rename device name Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099 Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025 CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988 Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0x16e/0x5b0 mm/kasan/report.c:521 kasan_report+0x143/0x180 mm/kasan/report.c:634 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 nla_put+0xd3/0x150 lib/nlattr.c:1099 nla_put_string include/net/netlink.h:1621 [inline] fill_nldev_handle+0x16e/0x200 drivers/infiniband/core/nldev.c:265 rdma_nl_notify_event+0x561/0xef0 drivers/infiniband/core/nldev.c:2857 ib_device_notify_register+0x22/0x230 drivers/infiniband/core/device.c:1344 ib_register_device+0x1292/0x1460 drivers/infiniband/core/device.c:1460 rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540 rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:709 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:724 ____sys_sendmsg+0x53a/0x860 net/socket.c:2564 ___sys_sendmsg net/socket.c:2618 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2650 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f42d1b8d169 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ... RSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169 RDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c RBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8 </TASK> Allocated by task 10025: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4294 [inline] __kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313 __kmemdup_nul mm/util.c:61 [inline] kstrdup+0x42/0x100 mm/util.c:81 kobject_set_name_vargs+0x61/0x120 lib/kobject.c:274 dev_set_name+0xd5/0x120 drivers/base/core.c:3468 assign_name drivers/infiniband/core/device.c:1202 [inline] ib_register_device+0x178/0x1460 drivers/infiniband/core/device.c:1384 rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540 rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8de/0xcb0 net ---truncated---
AI Analysis
Technical Summary
CVE-2025-22085 is a high-severity vulnerability identified in the Linux kernel, specifically within the RDMA (Remote Direct Memory Access) core subsystem. The vulnerability is a use-after-free bug occurring during the renaming of device names in the RDMA driver stack. The issue was discovered and reported by Syzbot, an automated kernel fuzzer, which detected a slab-use-after-free condition in the nla_put function of the netlink attribute library (lib/nlattr.c). This function is responsible for constructing netlink messages, which are used for kernel-user space communication. The use-after-free occurs when the kernel attempts to rename an RDMA device, leading to a scenario where memory that has already been freed is accessed again. This can cause memory corruption, kernel crashes, or potentially arbitrary code execution within the kernel context. The vulnerability is tracked under CWE-416 (Use After Free), which is a common and dangerous class of memory corruption bugs. The CVSS v3.1 base score is 7.8, indicating a high severity level. The vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates that the attack requires local access with low privileges and no user interaction, but can lead to high impact on confidentiality, integrity, and availability. The vulnerability affects Linux kernel versions including the 6.14.0-rc4 release candidate and likely other versions containing the affected RDMA code. The detailed call trace shows the sequence of kernel functions leading to the use-after-free, involving RDMA device registration and netlink message handling. Although no known exploits are currently in the wild, the nature of the bug and its impact suggest that exploitation could allow a local attacker to escalate privileges or cause denial of service by crashing the kernel. The vulnerability has been resolved in recent kernel updates, but no direct patch links are provided in the data. Organizations running Linux kernels with RDMA support, especially in environments using Infiniband or similar high-performance networking, are at risk if they have not applied the fix.
Potential Impact
For European organizations, the impact of CVE-2025-22085 can be significant, particularly for enterprises and research institutions relying on Linux servers with RDMA capabilities. RDMA is commonly used in high-performance computing (HPC), data centers, cloud infrastructure, and financial services for low-latency, high-throughput networking. Exploitation of this vulnerability could lead to unauthorized access to sensitive data, disruption of critical services, and potential compromise of entire systems due to kernel-level code execution. This could affect confidentiality, integrity, and availability of data and services. Given the high severity and local attack vector, insider threats or attackers with limited access could leverage this bug to escalate privileges. The disruption could impact sectors such as finance, telecommunications, research, and cloud service providers, which are prevalent in Europe. Additionally, the vulnerability could affect virtualized environments and cloud platforms running Linux kernels with RDMA support, which are widely used by European organizations. The lack of known exploits currently reduces immediate risk, but the potential for future exploitation necessitates prompt mitigation.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify all Linux systems running kernels with RDMA support, especially those using Infiniband or similar technologies. 2) Verify kernel versions and apply the latest stable Linux kernel updates that include the fix for CVE-2025-22085. Since no direct patch links are provided, organizations should monitor official Linux kernel mailing lists and vendor advisories for patches. 3) If immediate patching is not possible, consider disabling RDMA support or the affected RDMA drivers (e.g., rxe, infiniband core modules) temporarily to mitigate risk. 4) Restrict local access to trusted users only, as exploitation requires local privileges. 5) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and other memory safety tools during development and testing to detect similar issues early. 6) Monitor system logs and kernel crash reports for signs of exploitation attempts or instability related to RDMA device operations. 7) For cloud environments, coordinate with cloud service providers to ensure underlying infrastructure is patched. 8) Conduct security awareness training for system administrators about the risks of local privilege escalation vulnerabilities and the importance of timely patching.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Switzerland, Belgium, Italy, Spain
CVE-2025-22085: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix use-after-free when rename device name Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099 Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025 CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988 Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0x16e/0x5b0 mm/kasan/report.c:521 kasan_report+0x143/0x180 mm/kasan/report.c:634 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 nla_put+0xd3/0x150 lib/nlattr.c:1099 nla_put_string include/net/netlink.h:1621 [inline] fill_nldev_handle+0x16e/0x200 drivers/infiniband/core/nldev.c:265 rdma_nl_notify_event+0x561/0xef0 drivers/infiniband/core/nldev.c:2857 ib_device_notify_register+0x22/0x230 drivers/infiniband/core/device.c:1344 ib_register_device+0x1292/0x1460 drivers/infiniband/core/device.c:1460 rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540 rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:709 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:724 ____sys_sendmsg+0x53a/0x860 net/socket.c:2564 ___sys_sendmsg net/socket.c:2618 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2650 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f42d1b8d169 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ... RSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169 RDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c RBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8 </TASK> Allocated by task 10025: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4294 [inline] __kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313 __kmemdup_nul mm/util.c:61 [inline] kstrdup+0x42/0x100 mm/util.c:81 kobject_set_name_vargs+0x61/0x120 lib/kobject.c:274 dev_set_name+0xd5/0x120 drivers/base/core.c:3468 assign_name drivers/infiniband/core/device.c:1202 [inline] ib_register_device+0x178/0x1460 drivers/infiniband/core/device.c:1384 rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540 rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8de/0xcb0 net ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-22085 is a high-severity vulnerability identified in the Linux kernel, specifically within the RDMA (Remote Direct Memory Access) core subsystem. The vulnerability is a use-after-free bug occurring during the renaming of device names in the RDMA driver stack. The issue was discovered and reported by Syzbot, an automated kernel fuzzer, which detected a slab-use-after-free condition in the nla_put function of the netlink attribute library (lib/nlattr.c). This function is responsible for constructing netlink messages, which are used for kernel-user space communication. The use-after-free occurs when the kernel attempts to rename an RDMA device, leading to a scenario where memory that has already been freed is accessed again. This can cause memory corruption, kernel crashes, or potentially arbitrary code execution within the kernel context. The vulnerability is tracked under CWE-416 (Use After Free), which is a common and dangerous class of memory corruption bugs. The CVSS v3.1 base score is 7.8, indicating a high severity level. The vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates that the attack requires local access with low privileges and no user interaction, but can lead to high impact on confidentiality, integrity, and availability. The vulnerability affects Linux kernel versions including the 6.14.0-rc4 release candidate and likely other versions containing the affected RDMA code. The detailed call trace shows the sequence of kernel functions leading to the use-after-free, involving RDMA device registration and netlink message handling. Although no known exploits are currently in the wild, the nature of the bug and its impact suggest that exploitation could allow a local attacker to escalate privileges or cause denial of service by crashing the kernel. The vulnerability has been resolved in recent kernel updates, but no direct patch links are provided in the data. Organizations running Linux kernels with RDMA support, especially in environments using Infiniband or similar high-performance networking, are at risk if they have not applied the fix.
Potential Impact
For European organizations, the impact of CVE-2025-22085 can be significant, particularly for enterprises and research institutions relying on Linux servers with RDMA capabilities. RDMA is commonly used in high-performance computing (HPC), data centers, cloud infrastructure, and financial services for low-latency, high-throughput networking. Exploitation of this vulnerability could lead to unauthorized access to sensitive data, disruption of critical services, and potential compromise of entire systems due to kernel-level code execution. This could affect confidentiality, integrity, and availability of data and services. Given the high severity and local attack vector, insider threats or attackers with limited access could leverage this bug to escalate privileges. The disruption could impact sectors such as finance, telecommunications, research, and cloud service providers, which are prevalent in Europe. Additionally, the vulnerability could affect virtualized environments and cloud platforms running Linux kernels with RDMA support, which are widely used by European organizations. The lack of known exploits currently reduces immediate risk, but the potential for future exploitation necessitates prompt mitigation.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify all Linux systems running kernels with RDMA support, especially those using Infiniband or similar technologies. 2) Verify kernel versions and apply the latest stable Linux kernel updates that include the fix for CVE-2025-22085. Since no direct patch links are provided, organizations should monitor official Linux kernel mailing lists and vendor advisories for patches. 3) If immediate patching is not possible, consider disabling RDMA support or the affected RDMA drivers (e.g., rxe, infiniband core modules) temporarily to mitigate risk. 4) Restrict local access to trusted users only, as exploitation requires local privileges. 5) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and other memory safety tools during development and testing to detect similar issues early. 6) Monitor system logs and kernel crash reports for signs of exploitation attempts or instability related to RDMA device operations. 7) For cloud environments, coordinate with cloud service providers to ensure underlying infrastructure is patched. 8) Conduct security awareness training for system administrators about the risks of local privilege escalation vulnerabilities and the importance of timely patching.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.816Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe8072
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/8/2025, 8:26:17 PM
Last updated: 8/3/2025, 3:41:57 PM
Views: 9
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.