CVE-2025-21883

CVE-2025-21883 is a use-after-free vulnerability (CWE-416) in the Linux kernel's ice driver, which handles Intel Ethernet controllers supporting SR-IOV. The issue occurs during VF deinitialization in the error path of ice_ena_vfs(): if it fails after ice_create_vf_entries(), the function frees all VFs without removing them from the snapshot PF-VF mailbox list, resulting in list corruption. This can trigger a kernel BUG in list_add or a KASAN-reported use-after-free, as seen in stack traces from ice_mbx_init_vf_info and ice_sriov_configure. The vulnerability carries a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this by reproducing the failure scenario, such as configuring the physical function (PF) with devlink dev eswitch set to switchdev mode, enabling the interface with ip link set up and promiscuous mode, then toggling SR-IOV VFs via /sys/class/net/$PF/device/sriov_numvfs. This triggers the faulty error path during VF creation, leading to list corruption or use-after-free in VF initialization. Successful exploitation can cause kernel panics or memory corruption, potentially enabling privilege escalation, data tampering, or denial of service given the high confidentiality, integrity, and availability impacts.

Mitigation requires applying upstream kernel patches from the referenced stable commits, which move VF removal from the PF-VF mailbox list to ice_free_vf_entries()—a function already called in other VF removal paths, including ice_free_vfs(). Relevant patches include commits 34393fd78d71, 3c01102bec95, 79990cf5e7ad, and a4880583f88d, available at git.kernel.org/stable. Security practitioners should update affected Linux distributions' kernels supporting ice driver SR-IOV configurations as soon as patches propagate.