CVE-2025-23163: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: vlan: don't propagate flags on open With the device instance lock, there is now a possibility of a deadlock: [ 1.211455] ============================================ [ 1.211571] WARNING: possible recursive locking detected [ 1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted [ 1.211823] -------------------------------------------- [ 1.211936] ip/184 is trying to acquire lock: [ 1.212032] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_set_allmulti+0x4e/0xb0 [ 1.212207] [ 1.212207] but task is already holding lock: [ 1.212332] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0 [ 1.212487] [ 1.212487] other info that might help us debug this: [ 1.212626] Possible unsafe locking scenario: [ 1.212626] [ 1.212751] CPU0 [ 1.212815] ---- [ 1.212871] lock(&dev->lock); [ 1.212944] lock(&dev->lock); [ 1.213016] [ 1.213016] *** DEADLOCK *** [ 1.213016] [ 1.213143] May be due to missing lock nesting notation [ 1.213143] [ 1.213294] 3 locks held by ip/184: [ 1.213371] #0: ffffffff838b53e0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x1b/0xa0 [ 1.213543] #1: ffffffff84e5fc70 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x37/0xa0 [ 1.213727] #2: ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0 [ 1.213895] [ 1.213895] stack backtrace: [ 1.213991] CPU: 0 UID: 0 PID: 184 Comm: ip Not tainted 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 [ 1.213993] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 [ 1.213994] Call Trace: [ 1.213995] <TASK> [ 1.213996] dump_stack_lvl+0x8e/0xd0 [ 1.214000] print_deadlock_bug+0x28b/0x2a0 [ 1.214020] lock_acquire+0xea/0x2a0 [ 1.214027] __mutex_lock+0xbf/0xd40 [ 1.214038] dev_set_allmulti+0x4e/0xb0 # real_dev->flags & IFF_ALLMULTI [ 1.214040] vlan_dev_open+0xa5/0x170 # ndo_open on vlandev [ 1.214042] __dev_open+0x145/0x270 [ 1.214046] __dev_change_flags+0xb0/0x1e0 [ 1.214051] netif_change_flags+0x22/0x60 # IFF_UP vlandev [ 1.214053] dev_change_flags+0x61/0xb0 # for each device in group from dev->vlan_info [ 1.214055] vlan_device_event+0x766/0x7c0 # on netdevsim0 [ 1.214058] notifier_call_chain+0x78/0x120 [ 1.214062] netif_open+0x6d/0x90 [ 1.214064] dev_open+0x5b/0xb0 # locks netdevsim0 [ 1.214066] bond_enslave+0x64c/0x1230 [ 1.214075] do_set_master+0x175/0x1e0 # on netdevsim0 [ 1.214077] do_setlink+0x516/0x13b0 [ 1.214094] rtnl_newlink+0xaba/0xb80 [ 1.214132] rtnetlink_rcv_msg+0x440/0x490 [ 1.214144] netlink_rcv_skb+0xeb/0x120 [ 1.214150] netlink_unicast+0x1f9/0x320 [ 1.214153] netlink_sendmsg+0x346/0x3f0 [ 1.214157] __sock_sendmsg+0x86/0xb0 [ 1.214160] ____sys_sendmsg+0x1c8/0x220 [ 1.214164] ___sys_sendmsg+0x28f/0x2d0 [ 1.214179] __x64_sys_sendmsg+0xef/0x140 [ 1.214184] do_syscall_64+0xec/0x1d0 [ 1.214190] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1.214191] RIP: 0033:0x7f2d1b4a7e56 Device setup: netdevsim0 (down) ^ ^ bond netdevsim1.100@netdevsim1 allmulticast=on (down) When we enslave the lower device (netdevsim0) which has a vlan, we propagate vlan's allmuti/promisc flags during ndo_open. This causes (re)locking on of the real_dev. Propagate allmulti/promisc on flags change, not on the open. There is a slight semantics change that vlans that are down now propagate the flags, but this seems unlikely to result in the real issues. Reproducer: echo 0 1 > /sys/bus/netdevsim/new_device dev_path=$(ls -d /sys/bus/netdevsim/devices/netdevsim0/net/*) dev=$(echo $dev_path | rev | cut -d/ -f1 | rev) ip link set dev $dev name netdevsim0 ip link set dev netdevsim0 up ip link add link netdevsim0 name netdevsim0.100 type vlan id 100 ip link set dev netdevsim0.100 allm ---truncated---
AI Analysis
Technical Summary
CVE-2025-23163 is a vulnerability identified in the Linux kernel's networking subsystem, specifically related to VLAN (Virtual LAN) device handling. The issue arises from improper locking behavior in the kernel's network device code, where the device instance lock (dev->lock) can be recursively acquired, leading to a potential deadlock scenario. The vulnerability is triggered during the propagation of VLAN flags such as all-multicast (allmulti) and promiscuous mode (promisc) flags when a VLAN device is opened or when its flags change. The root cause is that the kernel attempts to propagate these flags during the device open operation (ndo_open), which involves acquiring the device lock multiple times without proper lock nesting annotations or safeguards. This results in recursive locking attempts on the same mutex, causing the kernel to detect a deadlock condition and potentially hang or crash. The vulnerability was observed in kernel version 6.14.0-rc5 and involves the interaction between VLAN devices and their underlying physical or bonded network devices. The problem manifests when enslaving a lower device that has VLAN configurations, where the propagation of allmulti/promisc flags during the open operation leads to unsafe locking. The fix involves changing the propagation semantics to occur on flag changes rather than on device open, reducing the risk of recursive locking and deadlocks. The vulnerability does not appear to have known exploits in the wild as of publication, and no CVSS score has been assigned. The issue is primarily a stability and availability concern, as it can cause kernel deadlocks and system hangs rather than direct confidentiality or integrity breaches. The vulnerability affects Linux kernel versions containing the specified commit hashes and likely impacts all distributions using these kernel versions or derivatives thereof. This vulnerability is technical and low-level, requiring privileged access to trigger (e.g., the ability to configure network devices and VLANs). It is relevant for environments running Linux with VLAN configurations, including servers, virtualized environments, and network appliances.
Potential Impact
For European organizations, the impact of CVE-2025-23163 centers on system availability and operational stability. Organizations relying on Linux-based infrastructure with VLAN configurations—common in data centers, cloud providers, telecom operators, and enterprises—may experience kernel deadlocks leading to system hangs or crashes. This can disrupt network connectivity, degrade service availability, and cause downtime for critical applications. Given the prevalence of Linux in European IT environments, especially in cloud and telecom sectors, the vulnerability poses a risk to network reliability. While the vulnerability does not directly expose data confidentiality or integrity, the resulting denial of service can have cascading effects on business operations, compliance with service-level agreements (SLAs), and incident response capabilities. Systems that are heavily virtualized or use bonded network interfaces with VLAN tagging are particularly at risk. The vulnerability could also affect embedded Linux devices used in industrial control systems or telecommunications infrastructure, which are critical in several European countries. Because exploitation requires privileged access to network device configuration, the threat is more relevant to internal attackers or attackers who have already gained elevated privileges. However, in multi-tenant cloud environments or shared infrastructure, the risk of privilege escalation or lateral movement exploiting this vulnerability cannot be discounted.
Mitigation Recommendations
1. Apply Kernel Updates: European organizations should prioritize updating to the latest Linux kernel versions that include the fix for CVE-2025-23163. Kernel patches that modify VLAN flag propagation to avoid recursive locking should be deployed promptly. 2. Restrict Privileged Access: Limit administrative privileges to network configuration interfaces and VLAN management to trusted personnel only. Use role-based access control (RBAC) and audit all changes to network device settings. 3. Monitor System Logs: Implement monitoring for kernel warnings related to locking or deadlocks, such as messages indicating recursive locking or deadlock detection in the network subsystem. Early detection can prevent prolonged outages. 4. Test Updates in Staging: Before deploying kernel updates in production, test them in staging environments that replicate VLAN and bonding configurations to ensure stability and compatibility. 5. Network Configuration Hardening: Where possible, minimize complex VLAN and bonding setups that could trigger the vulnerability. Consider alternative network designs that reduce reliance on nested VLAN flag propagation. 6. Incident Response Preparedness: Prepare for potential denial-of-service incidents by having failover and redundancy mechanisms in place, including live migration capabilities for virtual machines and network device failover. 7. Vendor Coordination: For organizations using commercial Linux distributions, coordinate with vendors to receive timely patches and advisories related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-23163: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: vlan: don't propagate flags on open With the device instance lock, there is now a possibility of a deadlock: [ 1.211455] ============================================ [ 1.211571] WARNING: possible recursive locking detected [ 1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted [ 1.211823] -------------------------------------------- [ 1.211936] ip/184 is trying to acquire lock: [ 1.212032] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_set_allmulti+0x4e/0xb0 [ 1.212207] [ 1.212207] but task is already holding lock: [ 1.212332] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0 [ 1.212487] [ 1.212487] other info that might help us debug this: [ 1.212626] Possible unsafe locking scenario: [ 1.212626] [ 1.212751] CPU0 [ 1.212815] ---- [ 1.212871] lock(&dev->lock); [ 1.212944] lock(&dev->lock); [ 1.213016] [ 1.213016] *** DEADLOCK *** [ 1.213016] [ 1.213143] May be due to missing lock nesting notation [ 1.213143] [ 1.213294] 3 locks held by ip/184: [ 1.213371] #0: ffffffff838b53e0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x1b/0xa0 [ 1.213543] #1: ffffffff84e5fc70 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x37/0xa0 [ 1.213727] #2: ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0 [ 1.213895] [ 1.213895] stack backtrace: [ 1.213991] CPU: 0 UID: 0 PID: 184 Comm: ip Not tainted 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 [ 1.213993] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 [ 1.213994] Call Trace: [ 1.213995] <TASK> [ 1.213996] dump_stack_lvl+0x8e/0xd0 [ 1.214000] print_deadlock_bug+0x28b/0x2a0 [ 1.214020] lock_acquire+0xea/0x2a0 [ 1.214027] __mutex_lock+0xbf/0xd40 [ 1.214038] dev_set_allmulti+0x4e/0xb0 # real_dev->flags & IFF_ALLMULTI [ 1.214040] vlan_dev_open+0xa5/0x170 # ndo_open on vlandev [ 1.214042] __dev_open+0x145/0x270 [ 1.214046] __dev_change_flags+0xb0/0x1e0 [ 1.214051] netif_change_flags+0x22/0x60 # IFF_UP vlandev [ 1.214053] dev_change_flags+0x61/0xb0 # for each device in group from dev->vlan_info [ 1.214055] vlan_device_event+0x766/0x7c0 # on netdevsim0 [ 1.214058] notifier_call_chain+0x78/0x120 [ 1.214062] netif_open+0x6d/0x90 [ 1.214064] dev_open+0x5b/0xb0 # locks netdevsim0 [ 1.214066] bond_enslave+0x64c/0x1230 [ 1.214075] do_set_master+0x175/0x1e0 # on netdevsim0 [ 1.214077] do_setlink+0x516/0x13b0 [ 1.214094] rtnl_newlink+0xaba/0xb80 [ 1.214132] rtnetlink_rcv_msg+0x440/0x490 [ 1.214144] netlink_rcv_skb+0xeb/0x120 [ 1.214150] netlink_unicast+0x1f9/0x320 [ 1.214153] netlink_sendmsg+0x346/0x3f0 [ 1.214157] __sock_sendmsg+0x86/0xb0 [ 1.214160] ____sys_sendmsg+0x1c8/0x220 [ 1.214164] ___sys_sendmsg+0x28f/0x2d0 [ 1.214179] __x64_sys_sendmsg+0xef/0x140 [ 1.214184] do_syscall_64+0xec/0x1d0 [ 1.214190] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1.214191] RIP: 0033:0x7f2d1b4a7e56 Device setup: netdevsim0 (down) ^ ^ bond netdevsim1.100@netdevsim1 allmulticast=on (down) When we enslave the lower device (netdevsim0) which has a vlan, we propagate vlan's allmuti/promisc flags during ndo_open. This causes (re)locking on of the real_dev. Propagate allmulti/promisc on flags change, not on the open. There is a slight semantics change that vlans that are down now propagate the flags, but this seems unlikely to result in the real issues. Reproducer: echo 0 1 > /sys/bus/netdevsim/new_device dev_path=$(ls -d /sys/bus/netdevsim/devices/netdevsim0/net/*) dev=$(echo $dev_path | rev | cut -d/ -f1 | rev) ip link set dev $dev name netdevsim0 ip link set dev netdevsim0 up ip link add link netdevsim0 name netdevsim0.100 type vlan id 100 ip link set dev netdevsim0.100 allm ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-23163 is a vulnerability identified in the Linux kernel's networking subsystem, specifically related to VLAN (Virtual LAN) device handling. The issue arises from improper locking behavior in the kernel's network device code, where the device instance lock (dev->lock) can be recursively acquired, leading to a potential deadlock scenario. The vulnerability is triggered during the propagation of VLAN flags such as all-multicast (allmulti) and promiscuous mode (promisc) flags when a VLAN device is opened or when its flags change. The root cause is that the kernel attempts to propagate these flags during the device open operation (ndo_open), which involves acquiring the device lock multiple times without proper lock nesting annotations or safeguards. This results in recursive locking attempts on the same mutex, causing the kernel to detect a deadlock condition and potentially hang or crash. The vulnerability was observed in kernel version 6.14.0-rc5 and involves the interaction between VLAN devices and their underlying physical or bonded network devices. The problem manifests when enslaving a lower device that has VLAN configurations, where the propagation of allmulti/promisc flags during the open operation leads to unsafe locking. The fix involves changing the propagation semantics to occur on flag changes rather than on device open, reducing the risk of recursive locking and deadlocks. The vulnerability does not appear to have known exploits in the wild as of publication, and no CVSS score has been assigned. The issue is primarily a stability and availability concern, as it can cause kernel deadlocks and system hangs rather than direct confidentiality or integrity breaches. The vulnerability affects Linux kernel versions containing the specified commit hashes and likely impacts all distributions using these kernel versions or derivatives thereof. This vulnerability is technical and low-level, requiring privileged access to trigger (e.g., the ability to configure network devices and VLANs). It is relevant for environments running Linux with VLAN configurations, including servers, virtualized environments, and network appliances.
Potential Impact
For European organizations, the impact of CVE-2025-23163 centers on system availability and operational stability. Organizations relying on Linux-based infrastructure with VLAN configurations—common in data centers, cloud providers, telecom operators, and enterprises—may experience kernel deadlocks leading to system hangs or crashes. This can disrupt network connectivity, degrade service availability, and cause downtime for critical applications. Given the prevalence of Linux in European IT environments, especially in cloud and telecom sectors, the vulnerability poses a risk to network reliability. While the vulnerability does not directly expose data confidentiality or integrity, the resulting denial of service can have cascading effects on business operations, compliance with service-level agreements (SLAs), and incident response capabilities. Systems that are heavily virtualized or use bonded network interfaces with VLAN tagging are particularly at risk. The vulnerability could also affect embedded Linux devices used in industrial control systems or telecommunications infrastructure, which are critical in several European countries. Because exploitation requires privileged access to network device configuration, the threat is more relevant to internal attackers or attackers who have already gained elevated privileges. However, in multi-tenant cloud environments or shared infrastructure, the risk of privilege escalation or lateral movement exploiting this vulnerability cannot be discounted.
Mitigation Recommendations
1. Apply Kernel Updates: European organizations should prioritize updating to the latest Linux kernel versions that include the fix for CVE-2025-23163. Kernel patches that modify VLAN flag propagation to avoid recursive locking should be deployed promptly. 2. Restrict Privileged Access: Limit administrative privileges to network configuration interfaces and VLAN management to trusted personnel only. Use role-based access control (RBAC) and audit all changes to network device settings. 3. Monitor System Logs: Implement monitoring for kernel warnings related to locking or deadlocks, such as messages indicating recursive locking or deadlock detection in the network subsystem. Early detection can prevent prolonged outages. 4. Test Updates in Staging: Before deploying kernel updates in production, test them in staging environments that replicate VLAN and bonding configurations to ensure stability and compatibility. 5. Network Configuration Hardening: Where possible, minimize complex VLAN and bonding setups that could trigger the vulnerability. Consider alternative network designs that reduce reliance on nested VLAN flag propagation. 6. Incident Response Preparedness: Prepare for potential denial-of-service incidents by having failover and redundancy mechanisms in place, including live migration capabilities for virtual machines and network device failover. 7. Vendor Coordination: For organizations using commercial Linux distributions, coordinate with vendors to receive timely patches and advisories related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T14:28:41.517Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe829e
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 10:25:31 PM
Last updated: 8/14/2025, 11:46:46 PM
Views: 15
Related Threats
CVE-2025-9165: Memory Leak in LibTIFF
MediumCVE-2025-9157: Use After Free in appneta tcpreplay
MediumCVE-2025-51529: n/a
MediumCVE-2025-50579: n/a
MediumCVE-2025-55740: CWE-1392: Use of Default Credentials in Anipaleja nginx-defender
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.