CVE-2025-21760
Published: 27 February 2025
Summary
CVE-2025-21760 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2025-21760 is a use-after-free (UAF) vulnerability, classified under CWE-416, in the Linux kernel's ndisc_send_skb() function within the Neighbor Discovery for IPv6 (ndisc) subsystem. The issue arises because ndisc_send_skb() can be invoked without the required RTNL (RTNetlink) lock or RCU (Read-Copy-Update) protection held, potentially leading to a UAF when dev_net_rcu() is used to access network namespace information. Published on 2025-02-27, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
A local attacker with low-privilege (PR:L) access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation could allow the attacker to trigger the UAF condition, potentially resulting in arbitrary code execution, data corruption, or system denial of service, as evidenced by the high ratings for confidentiality, integrity, and availability impacts (C:H/I:H/A:H) within the unchanged security scope.
Mitigation involves applying the upstream kernel patches referenced in the stable repository, such as commits 04e05112f10354ffc3bb6cc796d553bab161594c, 10a1f3fece2f0d23a3a618b72b2b4e6f408ef7d1, 4d576202b90b1b95a7c428a80b536f91b8201bcc, 789230e5a8c1097301afc802e242c79bc8835c67, and a9319d800b5701e7f5e3fa71a5b7c4831fc20d6d. These patches extend RCU protection by acquiring rcu_read_lock() earlier in ndisc_send_skb(), ensuring safe usage of dev_net_rcu() and preventing the UAF. Security practitioners should update affected Linux kernels promptly, particularly those handling IPv6 neighbor discovery traffic.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5152
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ndisc: extend RCU protection in ndisc_send_skb() ndisc_send_skb() can be called without RTNL or RCU held. Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu() and avoid a potential UAF.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free vulnerability enables a low-privileged attacker to achieve arbitrary code execution via exploitation of the ndisc_send_skb() flaw.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely patching of the Linux kernel to apply commits extending RCU protection in ndisc_send_skb(), eliminating the UAF vulnerability.
Deploys kernel memory protections like KASLR, SMEP/SMAP, and control-flow integrity to block exploitation of the UAF in the ndisc subsystem.
Establishes and enforces secure Linux kernel configuration settings, including hardening parameters that reduce UAF risks in IPv6 neighbor discovery.