Cyber Resilience

CVE-2025-21759

High

Published: 27 February 2025

Published
27 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21759 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 48.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-21759 is a Use After Free (UAF) vulnerability in the Linux kernel's IPv6 multicast implementation, specifically within the igmp6_send() function. This function can be invoked without holding the RTNL lock or RCU read-side lock, potentially leading to unsafe dereferencing of the net pointer and a UAF condition. The issue stems from reliance on GFP_KERNEL allocations in ipv6.igmp_sk, which cannot use sock_alloc_send_skb() due to sleeping risks; the fix switches to alloc_skb() under extended RCU protection. Affected components are Linux kernel versions prior to the application of the relevant stable patches.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an unchanged scope (S:U), as scored by CVSS 3.1 at 7.8. The UAF could enable arbitrary code execution, kernel crashes, or data corruption by manipulating memory after the net pointer is freed.

Mitigation involves applying the upstream kernel patches referenced in the stable git commits, including 087c1faa594fa07a66933d750c0b2610aa1a2946, 0bf8e2f3768629d437a32cb824149e6e98254381, 81b25a07ebf53f9ef4ca8f3d96a8ddb94561dd5a, and 8e92d6a413feaf968a33f0b439ecf27404407458. These extend RCU protection in igmp6_send() to safely fetch the net pointer and handle skb allocation appropriately. Security practitioners should update to kernels incorporating these fixes and monitor for local privilege escalation attempts targeting IPv6 multicast paths.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: extend RCU protection in igmp6_send() igmp6_send() can be called without RTNL or RCU being held. Extend RCU protection so that we can safely fetch the net pointer and…

more

avoid a potential UAF. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RCU protection.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The Linux kernel UAF in igmp6_send() enables local low-privileged attackers to achieve arbitrary code execution or kernel control, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2026-23077Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.14 · 2.6.26 — 6.6.79 · 6.7 — 6.12.16 · 6.13 — 6.13.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identifying, prioritizing, and applying patches to remediate the kernel UAF vulnerability in igmp6_send() as specified in the CVE fix commits.

detect

Mandates vulnerability scanning to identify systems running unpatched Linux kernels affected by this IPv6 multicast UAF.

prevent

Implements memory protections such as KASLR and SMEP/SMAP that mitigate exploitation of the UAF for arbitrary code execution or crashes.

References