CVE-2025-22111: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to br_ioctl_call(), which causes unnecessary RTNL dance and the splat below [0] under RTNL pressure. Let's say Thread A is trying to detach a device from a bridge and Thread B is trying to remove the bridge. In dev_ioctl(), Thread A bumps the bridge device's refcnt by netdev_hold() and releases RTNL because the following br_ioctl_call() also re-acquires RTNL. In the race window, Thread B could acquire RTNL and try to remove the bridge device. Then, rtnl_unlock() by Thread B will release RTNL and wait for netdev_put() by Thread A. Thread A, however, must hold RTNL after the unlock in dev_ifsioc(), which may take long under RTNL pressure, resulting in the splat by Thread B. Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR) ---------------------- ---------------------- sock_ioctl sock_ioctl `- sock_do_ioctl `- br_ioctl_call `- dev_ioctl `- br_ioctl_stub |- rtnl_lock | |- dev_ifsioc ' ' |- dev = __dev_get_by_name(...) |- netdev_hold(dev, ...) . / |- rtnl_unlock ------. | | |- br_ioctl_call `---> |- rtnl_lock Race | | `- br_ioctl_stub |- br_del_bridge Window | | | |- dev = __dev_get_by_name(...) | | | May take long | `- br_dev_delete(dev, ...) | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...) | | | | `- rtnl_unlock \ | |- rtnl_lock <-' `- netdev_run_todo | |- ... `- netdev_run_todo | `- rtnl_unlock |- __rtnl_unlock | |- netdev_wait_allrefs_any |- netdev_put(dev, ...) <----------------' Wait refcnt decrement and log splat below To avoid blocking SIOCBRDELBR unnecessarily, let's not call dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF. In the dev_ioctl() path, we do the following: 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl() 2. Check CAP_NET_ADMIN in dev_ioctl() 3. Call dev_load() in dev_ioctl() 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc() 3. can be done by request_module() in br_ioctl_call(), so we move 1., 2., and 4. to br_ioctl_stub(). Note that 2. is also checked later in add_del_if(), but it's better performed before RTNL. SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since the pre-git era, and there seems to be no specific reason to process them there. [0]: unregister_netdevice: waiting for wpan3 to become free. Usage count = 2 ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline] netdev_hold include/linux/netdevice.h:4311 [inline] dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624 dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826 sock_do_ioctl+0x1ca/0x260 net/socket.c:1213 sock_ioctl+0x23a/0x6c0 net/socket.c:1318 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI Analysis
Technical Summary
CVE-2025-22111 is a vulnerability in the Linux kernel's network subsystem related to the handling of bridge device ioctl commands, specifically SIOCBRADDIF and SIOCBRDELIF. The issue arises from a race condition involving the RTNL (rtnetlink) lock, which is used to serialize network device operations. When a thread (Thread A) attempts to detach a device from a bridge using SIOCBRDELIF, it calls dev_ioctl(), which increments the reference count of the bridge device and releases the RTNL lock before calling br_ioctl_call(), which re-acquires the RTNL lock. Concurrently, another thread (Thread B) may try to remove the entire bridge device using SIOCBRDELBR. Due to the timing of lock releases and acquisitions, Thread B can acquire the RTNL lock and proceed to remove the bridge device while Thread A still holds a reference to it. This leads to a deadlock or a kernel panic (referred to as a "splat"), as Thread B waits for the reference count to drop while Thread A is blocked holding the RTNL lock. The root cause is unnecessary RTNL locking (the "RTNL dance") in dev_ioctl() for these specific ioctl commands, which was not required and introduced a race window. The fix involves removing the dev_ioctl() call for SIOCBRADDIF and SIOCBRDELIF, moving some preliminary checks (such as CAP_NET_ADMIN capability verification and device lookup) to an earlier stage (br_ioctl_stub()), and performing module loading in br_ioctl_call(). This change reduces the lock contention and eliminates the race condition. The vulnerability affects Linux kernel versions prior to the patch referenced by commit 893b195875340cb44b54c9db99e708145f1210e8 and was published on April 16, 2025. No known exploits are reported in the wild as of now, and no CVSS score has been assigned.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with network bridging enabled, such as routers, firewalls, virtualization hosts, and container platforms that rely on Linux bridges for network traffic management. Exploitation could lead to kernel panics or denial of service (DoS) conditions, causing network outages or service disruptions. This can impact critical infrastructure, cloud service providers, telecom operators, and enterprises that depend on Linux-based networking. While the vulnerability does not directly enable privilege escalation or remote code execution, the resulting DoS could be leveraged in targeted attacks to disrupt operations or as part of multi-stage attacks. Given the widespread use of Linux in European data centers and network equipment, the potential impact on availability is significant, especially in environments with high RTNL lock contention or heavy network device reconfiguration. The vulnerability requires local access and administrative privileges (CAP_NET_ADMIN) to exploit, limiting the attack surface to authorized users or attackers who have already compromised a system. However, insider threats or lateral movement within networks could leverage this flaw to cause service interruptions.
Mitigation Recommendations
1. Apply the official Linux kernel patch that removes the unnecessary RTNL locking for SIOCBRADDIF and SIOCBRDELIF as referenced by commit 893b195875340cb44b54c9db99e708145f1210e8 or later stable kernel releases. 2. For organizations unable to immediately patch, limit administrative access to network device configuration commands requiring CAP_NET_ADMIN to trusted personnel only, reducing the risk of exploitation. 3. Monitor kernel logs for signs of RTNL lock contention, kernel panics, or "splat" messages related to unregister_netdevice waits, which may indicate attempted exploitation or triggering of this race condition. 4. Implement strict access controls and auditing on systems performing network bridging operations, especially in multi-tenant or virtualized environments. 5. Consider deploying kernel live patching solutions if available for your Linux distribution to apply the fix without downtime. 6. Review network device management automation scripts or orchestration tools to avoid concurrent conflicting bridge device operations that could exacerbate the race condition. 7. Maintain up-to-date backups and incident response plans to quickly recover from potential DoS incidents caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-22111: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to br_ioctl_call(), which causes unnecessary RTNL dance and the splat below [0] under RTNL pressure. Let's say Thread A is trying to detach a device from a bridge and Thread B is trying to remove the bridge. In dev_ioctl(), Thread A bumps the bridge device's refcnt by netdev_hold() and releases RTNL because the following br_ioctl_call() also re-acquires RTNL. In the race window, Thread B could acquire RTNL and try to remove the bridge device. Then, rtnl_unlock() by Thread B will release RTNL and wait for netdev_put() by Thread A. Thread A, however, must hold RTNL after the unlock in dev_ifsioc(), which may take long under RTNL pressure, resulting in the splat by Thread B. Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR) ---------------------- ---------------------- sock_ioctl sock_ioctl `- sock_do_ioctl `- br_ioctl_call `- dev_ioctl `- br_ioctl_stub |- rtnl_lock | |- dev_ifsioc ' ' |- dev = __dev_get_by_name(...) |- netdev_hold(dev, ...) . / |- rtnl_unlock ------. | | |- br_ioctl_call `---> |- rtnl_lock Race | | `- br_ioctl_stub |- br_del_bridge Window | | | |- dev = __dev_get_by_name(...) | | | May take long | `- br_dev_delete(dev, ...) | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...) | | | | `- rtnl_unlock \ | |- rtnl_lock <-' `- netdev_run_todo | |- ... `- netdev_run_todo | `- rtnl_unlock |- __rtnl_unlock | |- netdev_wait_allrefs_any |- netdev_put(dev, ...) <----------------' Wait refcnt decrement and log splat below To avoid blocking SIOCBRDELBR unnecessarily, let's not call dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF. In the dev_ioctl() path, we do the following: 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl() 2. Check CAP_NET_ADMIN in dev_ioctl() 3. Call dev_load() in dev_ioctl() 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc() 3. can be done by request_module() in br_ioctl_call(), so we move 1., 2., and 4. to br_ioctl_stub(). Note that 2. is also checked later in add_del_if(), but it's better performed before RTNL. SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since the pre-git era, and there seems to be no specific reason to process them there. [0]: unregister_netdevice: waiting for wpan3 to become free. Usage count = 2 ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline] netdev_hold include/linux/netdevice.h:4311 [inline] dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624 dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826 sock_do_ioctl+0x1ca/0x260 net/socket.c:1213 sock_ioctl+0x23a/0x6c0 net/socket.c:1318 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI-Powered Analysis
Technical Analysis
CVE-2025-22111 is a vulnerability in the Linux kernel's network subsystem related to the handling of bridge device ioctl commands, specifically SIOCBRADDIF and SIOCBRDELIF. The issue arises from a race condition involving the RTNL (rtnetlink) lock, which is used to serialize network device operations. When a thread (Thread A) attempts to detach a device from a bridge using SIOCBRDELIF, it calls dev_ioctl(), which increments the reference count of the bridge device and releases the RTNL lock before calling br_ioctl_call(), which re-acquires the RTNL lock. Concurrently, another thread (Thread B) may try to remove the entire bridge device using SIOCBRDELBR. Due to the timing of lock releases and acquisitions, Thread B can acquire the RTNL lock and proceed to remove the bridge device while Thread A still holds a reference to it. This leads to a deadlock or a kernel panic (referred to as a "splat"), as Thread B waits for the reference count to drop while Thread A is blocked holding the RTNL lock. The root cause is unnecessary RTNL locking (the "RTNL dance") in dev_ioctl() for these specific ioctl commands, which was not required and introduced a race window. The fix involves removing the dev_ioctl() call for SIOCBRADDIF and SIOCBRDELIF, moving some preliminary checks (such as CAP_NET_ADMIN capability verification and device lookup) to an earlier stage (br_ioctl_stub()), and performing module loading in br_ioctl_call(). This change reduces the lock contention and eliminates the race condition. The vulnerability affects Linux kernel versions prior to the patch referenced by commit 893b195875340cb44b54c9db99e708145f1210e8 and was published on April 16, 2025. No known exploits are reported in the wild as of now, and no CVSS score has been assigned.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with network bridging enabled, such as routers, firewalls, virtualization hosts, and container platforms that rely on Linux bridges for network traffic management. Exploitation could lead to kernel panics or denial of service (DoS) conditions, causing network outages or service disruptions. This can impact critical infrastructure, cloud service providers, telecom operators, and enterprises that depend on Linux-based networking. While the vulnerability does not directly enable privilege escalation or remote code execution, the resulting DoS could be leveraged in targeted attacks to disrupt operations or as part of multi-stage attacks. Given the widespread use of Linux in European data centers and network equipment, the potential impact on availability is significant, especially in environments with high RTNL lock contention or heavy network device reconfiguration. The vulnerability requires local access and administrative privileges (CAP_NET_ADMIN) to exploit, limiting the attack surface to authorized users or attackers who have already compromised a system. However, insider threats or lateral movement within networks could leverage this flaw to cause service interruptions.
Mitigation Recommendations
1. Apply the official Linux kernel patch that removes the unnecessary RTNL locking for SIOCBRADDIF and SIOCBRDELIF as referenced by commit 893b195875340cb44b54c9db99e708145f1210e8 or later stable kernel releases. 2. For organizations unable to immediately patch, limit administrative access to network device configuration commands requiring CAP_NET_ADMIN to trusted personnel only, reducing the risk of exploitation. 3. Monitor kernel logs for signs of RTNL lock contention, kernel panics, or "splat" messages related to unregister_netdevice waits, which may indicate attempted exploitation or triggering of this race condition. 4. Implement strict access controls and auditing on systems performing network bridging operations, especially in multi-tenant or virtualized environments. 5. Consider deploying kernel live patching solutions if available for your Linux distribution to apply the fix without downtime. 6. Review network device management automation scripts or orchestration tools to avoid concurrent conflicting bridge device operations that could exacerbate the race condition. 7. Maintain up-to-date backups and incident response plans to quickly recover from potential DoS incidents caused by this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.820Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8183
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 9:26:48 PM
Last updated: 8/16/2025, 12:21:45 PM
Views: 22
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.