CVE-2025-22105: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bonding: check xdp prog when set bond mode Following operations can trigger a warning[1]: ip netns add ns1 ip netns exec ns1 ip link add bond0 type bond mode balance-rr ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp ip netns exec ns1 ip link set bond0 type bond mode broadcast ip netns del ns1 When delete the namespace, dev_xdp_uninstall() is called to remove xdp program on bond dev, and bond_xdp_set() will check the bond mode. If bond mode is changed after attaching xdp program, the warning may occur. Some bond modes (broadcast, etc.) do not support native xdp. Set bond mode with xdp program attached is not good. Add check for xdp program when set bond mode. [1] ------------[ cut here ]------------ WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930 Modules linked in: CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930 Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ... RSP: 0018:ffffc90000063d80 EFLAGS: 00000282 RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48 RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8 R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000 FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0 Call Trace: <TASK> ? __warn+0x83/0x130 ? unregister_netdevice_many_notify+0x8d9/0x930 ? report_bug+0x18e/0x1a0 ? handle_bug+0x54/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? unregister_netdevice_many_notify+0x8d9/0x930 ? bond_net_exit_batch_rtnl+0x5c/0x90 cleanup_net+0x237/0x3d0 process_one_work+0x163/0x390 worker_thread+0x293/0x3b0 ? __pfx_worker_thread+0x10/0x10 kthread+0xec/0x1e0 ? __pfx_kthread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]---
AI Analysis
Technical Summary
CVE-2025-22105 is a vulnerability identified in the Linux kernel related to the bonding network driver and its interaction with eXpress Data Path (XDP) programs. The issue arises when a bond device is configured with an XDP program attached, and subsequently, the bond mode is changed to a mode that does not support native XDP, such as the broadcast mode. Specifically, the vulnerability manifests during network namespace operations involving creation and deletion, where the sequence of commands adds a bonded interface with a specific mode, attaches an XDP program, changes the bond mode to an unsupported type, and then deletes the namespace. During the deletion, the kernel calls dev_xdp_uninstall() to remove the XDP program from the bond device, and bond_xdp_set() checks the bond mode. If the bond mode was changed after attaching the XDP program, a warning is triggered, leading to a kernel warning and potentially a kernel panic or crash due to improper handling of the bond mode and XDP program state. The root cause is the lack of validation when changing bond modes while an XDP program is attached, which can lead to inconsistent state and kernel warnings. The vulnerability is demonstrated by a kernel warning trace indicating a failure in unregister_netdevice_many_notify(), which is part of the network device cleanup process. This issue affects Linux kernel version 6.14.0-rc4 and likely other versions with similar bonding and XDP code paths. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability is primarily a stability and reliability issue that could cause denial of service through kernel crashes or warnings during network namespace cleanup involving bonded interfaces with XDP programs.
Potential Impact
For European organizations, this vulnerability could impact systems that utilize Linux kernel bonding interfaces combined with XDP programs, particularly in environments using network namespaces such as containerized or virtualized infrastructures. The potential impact includes system instability or denial of service due to kernel warnings or crashes triggered during network namespace deletion or bond mode changes. This could disrupt network connectivity, degrade service availability, and affect critical infrastructure relying on bonded network interfaces for redundancy and performance. Organizations running high-performance network applications, telecom infrastructure, cloud service providers, and data centers using Linux-based networking stacks are at risk. Although no direct remote code execution or privilege escalation is indicated, the denial of service impact on network infrastructure could have cascading effects on business continuity and operational reliability. The impact is more pronounced in environments with dynamic network configurations and heavy use of XDP for packet processing acceleration.
Mitigation Recommendations
To mitigate this vulnerability, organizations should: 1) Apply the latest Linux kernel patches that include the fix for CVE-2025-22105 as soon as they become available, ensuring that bond mode changes are properly validated when XDP programs are attached. 2) Avoid changing bond modes on interfaces with active XDP programs attached until patches are applied. 3) Implement operational controls to monitor and restrict network namespace and bond interface configuration changes, especially in automated orchestration systems. 4) Test network namespace and bonding configurations in staging environments to detect potential kernel warnings or crashes before deployment. 5) Consider disabling XDP programs on bonded interfaces if bond mode changes are required frequently and patching is delayed. 6) Maintain robust system monitoring and alerting for kernel warnings related to network devices to enable rapid detection and response to potential instability. 7) Collaborate with Linux distribution vendors to ensure timely updates and backports for affected kernel versions used in production.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-22105: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bonding: check xdp prog when set bond mode Following operations can trigger a warning[1]: ip netns add ns1 ip netns exec ns1 ip link add bond0 type bond mode balance-rr ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp ip netns exec ns1 ip link set bond0 type bond mode broadcast ip netns del ns1 When delete the namespace, dev_xdp_uninstall() is called to remove xdp program on bond dev, and bond_xdp_set() will check the bond mode. If bond mode is changed after attaching xdp program, the warning may occur. Some bond modes (broadcast, etc.) do not support native xdp. Set bond mode with xdp program attached is not good. Add check for xdp program when set bond mode. [1] ------------[ cut here ]------------ WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930 Modules linked in: CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930 Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ... RSP: 0018:ffffc90000063d80 EFLAGS: 00000282 RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48 RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8 R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000 FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0 Call Trace: <TASK> ? __warn+0x83/0x130 ? unregister_netdevice_many_notify+0x8d9/0x930 ? report_bug+0x18e/0x1a0 ? handle_bug+0x54/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? unregister_netdevice_many_notify+0x8d9/0x930 ? bond_net_exit_batch_rtnl+0x5c/0x90 cleanup_net+0x237/0x3d0 process_one_work+0x163/0x390 worker_thread+0x293/0x3b0 ? __pfx_worker_thread+0x10/0x10 kthread+0xec/0x1e0 ? __pfx_kthread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]---
AI-Powered Analysis
Technical Analysis
CVE-2025-22105 is a vulnerability identified in the Linux kernel related to the bonding network driver and its interaction with eXpress Data Path (XDP) programs. The issue arises when a bond device is configured with an XDP program attached, and subsequently, the bond mode is changed to a mode that does not support native XDP, such as the broadcast mode. Specifically, the vulnerability manifests during network namespace operations involving creation and deletion, where the sequence of commands adds a bonded interface with a specific mode, attaches an XDP program, changes the bond mode to an unsupported type, and then deletes the namespace. During the deletion, the kernel calls dev_xdp_uninstall() to remove the XDP program from the bond device, and bond_xdp_set() checks the bond mode. If the bond mode was changed after attaching the XDP program, a warning is triggered, leading to a kernel warning and potentially a kernel panic or crash due to improper handling of the bond mode and XDP program state. The root cause is the lack of validation when changing bond modes while an XDP program is attached, which can lead to inconsistent state and kernel warnings. The vulnerability is demonstrated by a kernel warning trace indicating a failure in unregister_netdevice_many_notify(), which is part of the network device cleanup process. This issue affects Linux kernel version 6.14.0-rc4 and likely other versions with similar bonding and XDP code paths. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability is primarily a stability and reliability issue that could cause denial of service through kernel crashes or warnings during network namespace cleanup involving bonded interfaces with XDP programs.
Potential Impact
For European organizations, this vulnerability could impact systems that utilize Linux kernel bonding interfaces combined with XDP programs, particularly in environments using network namespaces such as containerized or virtualized infrastructures. The potential impact includes system instability or denial of service due to kernel warnings or crashes triggered during network namespace deletion or bond mode changes. This could disrupt network connectivity, degrade service availability, and affect critical infrastructure relying on bonded network interfaces for redundancy and performance. Organizations running high-performance network applications, telecom infrastructure, cloud service providers, and data centers using Linux-based networking stacks are at risk. Although no direct remote code execution or privilege escalation is indicated, the denial of service impact on network infrastructure could have cascading effects on business continuity and operational reliability. The impact is more pronounced in environments with dynamic network configurations and heavy use of XDP for packet processing acceleration.
Mitigation Recommendations
To mitigate this vulnerability, organizations should: 1) Apply the latest Linux kernel patches that include the fix for CVE-2025-22105 as soon as they become available, ensuring that bond mode changes are properly validated when XDP programs are attached. 2) Avoid changing bond modes on interfaces with active XDP programs attached until patches are applied. 3) Implement operational controls to monitor and restrict network namespace and bond interface configuration changes, especially in automated orchestration systems. 4) Test network namespace and bonding configurations in staging environments to detect potential kernel warnings or crashes before deployment. 5) Consider disabling XDP programs on bonded interfaces if bond mode changes are required frequently and patching is delayed. 6) Maintain robust system monitoring and alerting for kernel warnings related to network devices to enable rapid detection and response to potential instability. 7) Collaborate with Linux distribution vendors to ensure timely updates and backports for affected kernel versions used in production.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.819Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe813d
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 9:25:08 PM
Last updated: 8/11/2025, 1:08:23 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.