CVE-2025-21719
Published: 27 February 2025
Summary
CVE-2025-21719 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of the kernel patch removes the erroneous mr_mfc_uses_dev() call on unresolved entries, preventing crashes and memory disclosure.
Vulnerability monitoring and scanning identifies the kernel version affected by this ipmr flaw for prioritized remediation.
Least functionality restrictions disable unnecessary IP multicast routing to avoid loading the vulnerable ipmr component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables a local low-privileged attacker to trigger a kernel panic (via out-of-bounds read in mr_mfc_uses_dev during netlink ipmr route dumps), directly facilitating T1499.004 (Application or System Exploitation) for endpoint DoS. The potential memory disclosure does not map reliably to other techniques like T1005 or T1082.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain…
more
two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708
Deeper analysisAI
CVE-2025-21719 is a vulnerability in the Linux kernel's IP multicast routing (ipmr) component, specifically in the mr_mfc_uses_dev() function within net/ipv4/ipmr_base.c. The issue arises when this function is called on unresolved (unres) multicast forwarding cache entries, which alias to a struct sk_buff_head containing pointers. This leads to an invalid memory access, such as a kernel paging request or wild-memory-access as reported by KASAN, resulting in a crash during operations like mr_table_dump.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N). By triggering a netlink dump of ipmr routes via rtnetlink (e.g., through sock_recvmsg on a netlink socket), the attacker causes the kernel to invoke mr_mfc_uses_dev() on unres entries. This achieves high confidentiality impact (C:H) through potential memory disclosure and high availability impact (A:H) via kernel panic, with unchanged scope (S:U), as evidenced by the CVSS 3.1 score of 7.1 and CWE-125 (Out-of-bounds Read).
Mitigation involves applying kernel patches from stable releases, which remove the erroneous call to mr_mfc_uses_dev() for unres entries. Relevant commits include 15a901361ec3fb1c393f91880e1cbf24ec0a88bd, 26bb7d991f04eeef47dfad23e533834995c26f7a, 53df27fd38f84bd3cd6b004eb4ff3c4903114f1d, 547ef7e8cbb98f966c8719a3e15d4e078aaa9b47, and 57177c5f47a8da852f8d76cf6945cf803f8bb9e5, available at git.kernel.org/stable.
The vulnerability was discovered by syzbot fuzzing on kernel version 6.13.0-rc7, with no public reports of real-world exploitation.
Details
- CWE(s)