Cyber Resilience

CVE-2025-21650

High

Published: 19 January 2025

Published
19 January 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21650 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-21650 is a vulnerability in the Linux kernel's hns3 network driver, specifically in the hclge_fetch_pf_reg function. The issue arises because the TQP BAR space is divided into two segments—TQPs 0-1023 and TQPs 1024-1279 occupy different BAR space addresses—but hclge_fetch_pf_reg fails to account for this segmentation when reading TQP space information. When the number of TQPs exceeds 1024, this leads to out-of-bounds BAR space access, manifesting as a kernel paging fault with an error like "Unable to handle kernel paging request at virtual address ffff800037200000." The vulnerability is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as it is triggered through the ethtool_get_regs interface via standard ioctl calls (e.g., sock_ioctl -> dev_ethtool). The stack trace shows the fault originating from hclge_fetch_pf_reg called by hclge_get_regs and hns3_get_regs. Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) in the unscoped security context (S:U), potentially enabling kernel memory corruption, denial of service via crash, or arbitrary code execution.

Mitigation involves applying the upstream Linux kernel patches referenced in the advisory. The primary fix, in commit 0575baa733fc4219f230aef22d5bc35d922f1e9a, modifies hclge_fetch_pf_reg to directly use tqp.io_base for queue reads, respecting the pre-initialized segmentation. A related commit, 7997ddd46c54408bcba5e37fe18b4d832e45d4d4, addresses similar handling. Security practitioners should update affected kernels, particularly those using HiSilicon hns3 hardware with high TQP counts, and monitor for stable backports.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue The TQP BAR space is divided into two segments. TQPs 0-1023 and TQPs 1024-1279 are in different BAR space…

more

addresses. However, hclge_fetch_pf_reg does not distinguish the tqp space information when reading the tqp space information. When the number of TQPs is greater than 1024, access bar space overwriting occurs. The problem of different segments has been considered during the initialization of tqp.io_base. Therefore, tqp.io_base is directly used when the queue is read in hclge_fetch_pf_reg. The error message: Unable to handle kernel paging request at virtual address ffff800037200000 pc : hclge_fetch_pf_reg+0x138/0x250 [hclge] lr : hclge_get_regs+0x84/0x1d0 [hclge] Call trace: hclge_fetch_pf_reg+0x138/0x250 [hclge] hclge_get_regs+0x84/0x1d0 [hclge] hns3_get_regs+0x2c/0x50 [hns3] ethtool_get_regs+0xf4/0x270 dev_ethtool+0x674/0x8a0 dev_ioctl+0x270/0x36c sock_do_ioctl+0x110/0x2a0 sock_ioctl+0x2ac/0x530 __arm64_sys_ioctl+0xa8/0x100 invoke_syscall+0x4c/0x124 el0_svc_common.constprop.0+0x140/0x15c do_el0_svc+0x30/0xd0 el0_svc+0x1c/0x2c el0_sync_handler+0xb0/0xb4 el0_sync+0x168/0x180

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes a local kernel out-of-bounds write vulnerability in the hns3 driver that can be triggered by low-privileged users via ethtool ioctl calls, directly enabling kernel memory corruption and arbitrary code execution for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel
CVE-2026-43500Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.13 · 6.4.16 — 6.5 · 6.5.3 — 6.12.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the Linux kernel hns3 driver flaw to eliminate the out-of-bounds TQP BAR space access.

prevent

Kernel memory protection mechanisms such as KASLR and supervisor protections mitigate memory corruption from the out-of-bounds BAR access.

detect

System monitoring detects kernel paging faults and oops traces from exploitation of the hclge_fetch_pf_reg vulnerability via ethtool ioctls.

References