CVE-2025-21717
Published: 27 February 2025
Summary
CVE-2025-21717 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the kernel flaw in mlx5e_open_xdpredirect_sq by applying patches that add the missing cpu_to_node call to prevent OOB access and panics.
Implements memory protections that mitigate out-of-bounds reads in kernel drivers like mlx5e, reducing risks of panics or information disclosure during allocation faults.
Provides safeguards to limit the effects of denial-of-service events such as kernel panics triggered by netlink operations on high CPU IDs in mlx5e interfaces.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The out-of-bounds read in the Linux kernel mlx5e driver can be triggered locally by a low-privileged attacker via netlink operations to cause a kernel panic and denial of service, directly mapping to application or system exploitation for endpoint DoS.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: add missing cpu_to_node to kvzalloc_node in mlx5e_open_xdpredirect_sq kvzalloc_node is not doing a runtime check on the node argument (__alloc_pages_node_noprof does have a VM_BUG_ON, but it expands to nothing on…
more
!CONFIG_DEBUG_VM builds), so doing any ethtool/netlink operation that calls mlx5e_open on a CPU that's larger that MAX_NUMNODES triggers OOB access and panic (see the trace below). Add missing cpu_to_node call to convert cpu id to node id. [ 165.427394] mlx5_core 0000:5c:00.0 beth1: Link up [ 166.479327] BUG: unable to handle page fault for address: 0000000800000010 [ 166.494592] #PF: supervisor read access in kernel mode [ 166.505995] #PF: error_code(0x0000) - not-present page ... [ 166.816958] Call Trace: [ 166.822380] <TASK> [ 166.827034] ? __die_body+0x64/0xb0 [ 166.834774] ? page_fault_oops+0x2cd/0x3f0 [ 166.843862] ? exc_page_fault+0x63/0x130 [ 166.852564] ? asm_exc_page_fault+0x22/0x30 [ 166.861843] ? __kvmalloc_node_noprof+0x43/0xd0 [ 166.871897] ? get_partial_node+0x1c/0x320 [ 166.880983] ? deactivate_slab+0x269/0x2b0 [ 166.890069] ___slab_alloc+0x521/0xa90 [ 166.898389] ? __kvmalloc_node_noprof+0x43/0xd0 [ 166.908442] __kmalloc_node_noprof+0x216/0x3f0 [ 166.918302] ? __kvmalloc_node_noprof+0x43/0xd0 [ 166.928354] __kvmalloc_node_noprof+0x43/0xd0 [ 166.938021] mlx5e_open_channels+0x5e2/0xc00 [ 166.947496] mlx5e_open_locked+0x3e/0xf0 [ 166.956201] mlx5e_open+0x23/0x50 [ 166.963551] __dev_open+0x114/0x1c0 [ 166.971292] __dev_change_flags+0xa2/0x1b0 [ 166.980378] dev_change_flags+0x21/0x60 [ 166.988887] do_setlink+0x38d/0xf20 [ 166.996628] ? ep_poll_callback+0x1b9/0x240 [ 167.005910] ? __nla_validate_parse.llvm.10713395753544950386+0x80/0xd70 [ 167.020782] ? __wake_up_sync_key+0x52/0x80 [ 167.030066] ? __mutex_lock+0xff/0x550 [ 167.038382] ? security_capable+0x50/0x90 [ 167.047279] rtnl_setlink+0x1c9/0x210 [ 167.055403] ? ep_poll_callback+0x1b9/0x240 [ 167.064684] ? security_capable+0x50/0x90 [ 167.073579] rtnetlink_rcv_msg+0x2f9/0x310 [ 167.082667] ? rtnetlink_bind+0x30/0x30 [ 167.091173] netlink_rcv_skb+0xb1/0xe0 [ 167.099492] netlink_unicast+0x20f/0x2e0 [ 167.108191] netlink_sendmsg+0x389/0x420 [ 167.116896] __sys_sendto+0x158/0x1c0 [ 167.125024] __x64_sys_sendto+0x22/0x30 [ 167.133534] do_syscall_64+0x63/0x130 [ 167.141657] ? __irq_exit_rcu.llvm.17843942359718260576+0x52/0xd0 [ 167.155181] entry_SYSCALL_64_after_hwframe+0x4b/0x53
Deeper analysisAI
CVE-2025-21717 is an out-of-bounds read vulnerability (CWE-125) in the Linux kernel's net/mlx5e subsystem, specifically in the mlx5e_open_xdpredirect_sq function. The issue arises from a missing cpu_to_node call before invoking kvzalloc_node, which fails to validate the node argument at runtime, particularly on systems where the CPU ID exceeds MAX_NUMNODES. This affects the mlx5e driver used with Mellanox/NVIDIA ConnectX Ethernet adapters supporting XDP redirect functionality, leading to kernel panics during operations like ethtool or netlink interface configuration.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). By performing netlink operations, such as rtnetlink sendto calls to change device flags (e.g., via do_setlink and dev_change_flags), the attacker triggers mlx5e_open on a high CPU ID. This results in an out-of-bounds access in __kvmalloc_node_noprof, causing a page fault, kernel panic, and denial of service (A:H). The vulnerability also enables high confidentiality impact (C:H) through potential information disclosure during the fault.
The provided patch references from kernel.org stable branches confirm the fix: commit 979284535aaf12a287a2f43d9d5dfcbdc1dc4cac and a275db45b4161d01716559dd7557db9ea0450952 explicitly add the missing cpu_to_node conversion before kvzalloc_node in mlx5e_open_xdpredirect_sq. Security practitioners should update to kernels incorporating these stable commits to mitigate the issue, prioritizing systems with mlx5e drivers in multi-node or high-CPU environments.
Details
- CWE(s)