CVE-2025-21791
Published: 27 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF.
Security Summary
CVE-2025-21791 is a use-after-free (UAF) vulnerability, classified under CWE-416, in the Linux kernel's Virtual Routing and Forwarding (VRF) component. The issue arises in the l3mdev_l3_out() function, which can be invoked without Read-Copy Update (RCU) protection, such as during the call chain from raw_sendmsg() through ip_local_out() and __ip_local_out(). This lack of RCU read-side critical section enables a potential UAF. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-27.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or system denial of service on the affected kernel instance.
Mitigation involves applying kernel patches from the provided stable branch commits, including 022cac1c693add610ae76ede03adf4d9d5a2cf21, 20a3489b396764cc9376e32a9172bee26a89dc3b, 5bb4228c32261d06e4fbece37ec3828bcc005b6b, 6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e, and 6d0ce46a93135d96b7fa075a94a88fe0da8e8773. These commits add an rcu_read_lock()/rcu_read_unlock() pair to l3mdev_l3_out() to ensure proper RCU protection.
Details
- CWE(s)