CVE-2025-21791

High

Published: 27 February 2025

Published

27 February 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 3.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21791 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the UAF vulnerability by requiring timely patching of the Linux kernel to add RCU protection in l3mdev_l3_out().

SI-16 Memory Protection partial match

prevent

Provides kernel memory protections like ASLR and guard pages that mitigate exploitation of the UAF in the VRF component even if unpatched.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning detects the presence of CVE-2025-21791 in the Linux kernel, triggering remediation to apply RCU fixes.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Local kernel UAF enables privilege escalation via arbitrary code execution (T1068) and system DoS through exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF.

Deeper analysisAI

CVE-2025-21791 is a use-after-free (UAF) vulnerability, classified under CWE-416, in the Linux kernel's Virtual Routing and Forwarding (VRF) component. The issue arises in the l3mdev_l3_out() function, which can be invoked without Read-Copy Update (RCU) protection, such as during the call chain from raw_sendmsg() through ip_local_out() and __ip_local_out(). This lack of RCU read-side critical section enables a potential UAF. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-27.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or system denial of service on the affected kernel instance.

Mitigation involves applying kernel patches from the provided stable branch commits, including 022cac1c693add610ae76ede03adf4d9d5a2cf21, 20a3489b396764cc9376e32a9172bee26a89dc3b, 5bb4228c32261d06e4fbece37ec3828bcc005b6b, 6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e, and 6d0ce46a93135d96b7fa075a94a88fe0da8e8773. These commits add an rcu_read_lock()/rcu_read_unlock() pair to l3mdev_l3_out() to ensure proper RCU protection.

Details

CWE(s): CWE-416

Affected Products

linux

linux kernel

6.14 · 4.9 — 6.1.129 · 6.2 — 6.6.79 · 6.7 — 6.12.16

CVEs Like This One

CVE-2024-57795Same product: Linux Linux Kernel

CVE-2026-31665Same product: Linux Linux Kernel

CVE-2024-57951Same product: Linux Linux Kernel

CVE-2025-21883Same product: Linux Linux Kernel

CVE-2026-31485Same product: Linux Linux Kernel

CVE-2026-31511Same product: Linux Linux Kernel

CVE-2025-21751Same product: Linux Linux Kernel

CVE-2023-53023Same product: Linux Linux Kernel

CVE-2026-31580Same product: Linux Linux Kernel

CVE-2024-58072Same product: Linux Linux Kernel

References

https://git.kernel.org/stable/c/022cac1c693add610ae76ede03adf4d9d5a2cf21
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/20a3489b396764cc9376e32a9172bee26a89dc3b
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5bb4228c32261d06e4fbece37ec3828bcc005b6b
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6d0ce46a93135d96b7fa075a94a88fe0da8e8773
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7b81425b517accefd46bee854d94954f5c57e019
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c40cb5c03e37552d6eff963187109e2c3f78ef6f
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c7574740be8ce68a57d0aece24987b9be2114c3c
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
af854a3a-2127-422b-91ae-364da2661108
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
af854a3a-2127-422b-91ae-364da2661108