CVE-2025-21867

CVE-2025-21867 is a use-after-free vulnerability in the Linux kernel's eth_skb_pkt_type() function, detected by KMSAN. It affects the BPF test_run subsystem, where bpf_prog_test_run_xdp() can pass an invalid user_data argument to bpf_test_init(), causing access to skb data lacking an Ethernet header. This issue manifests in the eth_type_trans() path during XDP frame processing, as detailed in the kernel stack trace from kernel version 6.12-rc.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L). Exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an overall CVSS v3.1 score of 7.8 under unchanged scope (S:U), classified as CWE-416. Potential outcomes include kernel memory corruption, enabling arbitrary code execution or system crashes.

Mitigation involves applying upstream kernel patches, which fix the issue by adding a check in bpf_test_init() to return an error if user_data is less than ETH_HLEN and removing an unnecessary "user_size > size" check. Relevant stable branch commits include 1a9e1284e87d59b1303b69d1808d310821d6e5f7, 6b3d638ca897e099fa99bd6d02189d3176f80a47, 972bafed67ca73ad9a56448384281eb5fd5c0ba3, d56d8a23d95100b65f40438639dd82db2af81c11, and f615fccfc689cb48977d275ac2e391297b52392b.