CVE-2025-21735
Published: 27 February 2025
Summary
CVE-2025-21735 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching of the Linux kernel to add bounds checking in nci_hci_create_pipe(), preventing exploitation of the out-of-bounds write.
Enforces validation of information inputs from NFC, directly addressing the lack of bounds checking on the network-sourced u8 'pipe' variable that leads to memory corruption.
Implements memory safeguards such as non-executable memory and address randomization to protect against exploitation of the memory corruption caused by the out-of-bounds write.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel memory corruption (out-of-bounds write) in NFC NCI subsystem allows low-privileged attacker to achieve arbitrary code execution via crafted NFC input, directly enabling privilege escalation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Add bounds checking in nci_hci_create_pipe() The "pipe" variable is a u8 which comes from the network. If it's more than 127, then it results in memory corruption in…
more
the caller, nci_hci_connect_gate().
Deeper analysisAI
CVE-2025-21735 is a vulnerability in the Linux kernel's NFC NCI (Near Field Communication Controller Interface) subsystem, specifically in the nci_hci_create_pipe() function. The issue stems from a lack of bounds checking on a u8 "pipe" variable sourced from the network; values exceeding 127 trigger memory corruption in the caller function, nci_hci_connect_gate(). This out-of-bounds write (CWE-787) affects Linux kernel versions prior to the application of the relevant stable patches and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by supplying a crafted "pipe" value over an NFC connection, leading to memory corruption. Successful exploitation could allow arbitrary code execution, data tampering, or system crashes, with high impacts on confidentiality, integrity, and availability due to the unbounded write.
Mitigation involves applying kernel patches that add bounds checking to nci_hci_create_pipe(), as detailed in the following stable branch commits: 10b3f947b609713e04022101f492d288a014ddfa, 110b43ef05342d5a11284cc8b21582b698b4ef1c, 172cdfc3a5ea20289c58fb73dadc6fd4a8784a4e, 2ae4bade5a64d126bd18eb66bd419005c5550218, and 59c7ed20217c0939862fbf8145bc49d5b3a13f4f. Security practitioners should update affected Linux kernels promptly, particularly those with NFC functionality enabled.
Details
- CWE(s)