CVE-2025-21858

CVE-2025-21858 is a use-after-free vulnerability in the Linux kernel's Geneve networking driver, specifically in the geneve_find_dev() function within drivers/net/geneve.c. The issue arises during Geneve device configuration, where geneve_configure() links a struct geneve_dev.next pointer to a list in net_generic(net, geneve_net_id)->geneve_list, potentially in a different network namespace (netns) if attributes like IFLA_NET_NS_PID, IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID are set. When the device’s netns (dev_net(dev)) is dismantled, geneve_exit_batch_rtnl() queues the device for unregister_netdevice_queue() and eventual freeing, but the next pointer remains linked to the backend UDP socket’s netns. This leads to a use-after-free when a new Geneve device is created in that netns, as reported by syzkaller and confirmed by KASAN slab-use-after-free detection.

A local attacker with low privileges can exploit this vulnerability, as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation requires the ability to create and manipulate Geneve devices across network namespaces, typically needing capabilities like CAP_NET_ADMIN. By dismantling a netns containing a Geneve device and then creating a new one in the linked backend netns, the attacker triggers the use-after-free during geneve_configure(), potentially allowing arbitrary read/write access to freed memory, kernel crashes, or code execution with kernel privileges.

Kernel patches address the issue by replacing the call to geneve_destroy_tunnels() with geneve_dellink() to properly unlink the device from the list before freeing. Relevant stable branch commits include 3ce92ca990cfac88a87c61df3cc0b5880e688ecf, 5a0538ac6826807d6919f6aecbb8996c2865af2c, 788dbca056a8783ec063da3c9d49a3a71c76c283, 904e746b2e7fa952ab8801b303ce826a63153d78, and 9593172d93b9f91c362baec4643003dc29802929, available via git.kernel.org. Security practitioners should ensure systems run patched kernels to mitigate this CWE-416 vulnerability.