CVE-2025-21760
Published: 27 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: ndisc: extend RCU protection in ndisc_send_skb() ndisc_send_skb() can be called without RTNL or RCU held. Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu() and avoid a potential UAF.
Security Summary
CVE-2025-21760 is a use-after-free (UAF) vulnerability, classified under CWE-416, in the Linux kernel's ndisc_send_skb() function within the Neighbor Discovery for IPv6 (ndisc) subsystem. The issue arises because ndisc_send_skb() can be invoked without the required RTNL (RTNetlink) lock or RCU (Read-Copy-Update) protection held, potentially leading to a UAF when dev_net_rcu() is used to access network namespace information. Published on 2025-02-27, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
A local attacker with low-privilege (PR:L) access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation could allow the attacker to trigger the UAF condition, potentially resulting in arbitrary code execution, data corruption, or system denial of service, as evidenced by the high ratings for confidentiality, integrity, and availability impacts (C:H/I:H/A:H) within the unchanged security scope.
Mitigation involves applying the upstream kernel patches referenced in the stable repository, such as commits 04e05112f10354ffc3bb6cc796d553bab161594c, 10a1f3fece2f0d23a3a618b72b2b4e6f408ef7d1, 4d576202b90b1b95a7c428a80b536f91b8201bcc, 789230e5a8c1097301afc802e242c79bc8835c67, and a9319d800b5701e7f5e3fa71a5b7c4831fc20d6d. These patches extend RCU protection by acquiring rcu_read_lock() earlier in ndisc_send_skb(), ensuring safe usage of dev_net_rcu() and preventing the UAF. Security practitioners should update affected Linux kernels promptly, particularly those handling IPv6 neighbor discovery traffic.
Details
- CWE(s)