CVE-2025-21789
Published: 27 February 2025
Summary
CVE-2025-21789 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly addresses this CVE by requiring application of upstream kernel patches that fix the out-of-bounds read and undefined shift in LoongArch IP checksum code.
Information input validation prevents the processing of negative lengths that trigger the out-of-bounds read and undefined shift in the IP checksum function.
Vulnerability monitoring and scanning identifies deployed LoongArch kernels affected by this specific CVE for prioritization of remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read enables collection of sensitive data from local kernel memory (T1005); undefined behavior and negative lengths enable crashes for DoS via system exploitation (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: LoongArch: csum: Fix OoB access in IP checksum code for negative lengths Commit 69e3a6aa6be2 ("LoongArch: Add checksum optimization for 64-bit system") would cause an undefined shift and an out-of-bounds read.…
more
Commit 8bd795fedb84 ("arm64: csum: Fix OoB access in IP checksum code for negative lengths") fixes the same issue on ARM64.
Deeper analysisAI
CVE-2025-21789 is a vulnerability in the Linux kernel's LoongArch architecture implementation of IP checksum calculation. It manifests as an out-of-bounds read and undefined shift operation triggered by negative lengths, stemming from commit 69e3a6aa6be2 ("LoongArch: Add checksum optimization for 64-bit system"). This issue mirrors a previously fixed problem in ARM64 via commit 8bd795fedb84. The flaw is classified under CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation enables high-impact confidentiality violations through out-of-bounds reads, potentially leaking sensitive kernel memory, alongside high availability disruption, such as denial of service via crashes or instability.
Mitigation is provided through upstream kernel patches in the stable repository, including commits 6287f1a8c16138c2ec750953e35039634018c84a, 964a8895704a22efc06a2a3276b624a5ae985a06, 9f15a8df542c0f08732a67d1a14ee7c22948fb97, and d6508ffff32b44b6d0de06704034e4eef1c307a7. Security practitioners should update affected LoongArch-based Linux kernels to incorporate these fixes.
Details
- CWE(s)