CVE-2025-21759

CVE-2025-21759 is a Use After Free (UAF) vulnerability in the Linux kernel's IPv6 multicast implementation, specifically within the igmp6_send() function. This function can be invoked without holding the RTNL lock or RCU read-side lock, potentially leading to unsafe dereferencing of the net pointer and a UAF condition. The issue stems from reliance on GFP_KERNEL allocations in ipv6.igmp_sk, which cannot use sock_alloc_send_skb() due to sleeping risks; the fix switches to alloc_skb() under extended RCU protection. Affected components are Linux kernel versions prior to the application of the relevant stable patches.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an unchanged scope (S:U), as scored by CVSS 3.1 at 7.8. The UAF could enable arbitrary code execution, kernel crashes, or data corruption by manipulating memory after the net pointer is freed.

Mitigation involves applying the upstream kernel patches referenced in the stable git commits, including 087c1faa594fa07a66933d750c0b2610aa1a2946, 0bf8e2f3768629d437a32cb824149e6e98254381, 81b25a07ebf53f9ef4ca8f3d96a8ddb94561dd5a, and 8e92d6a413feaf968a33f0b439ecf27404407458. These extend RCU protection in igmp6_send() to safely fetch the net pointer and handle skb allocation appropriately. Security practitioners should update to kernels incorporating these fixes and monitor for local privilege escalation attempts targeting IPv6 multicast paths.