CVE-2025-21855
Published: 12 March 2025
Summary
CVE-2025-21855 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability in the ibmvnic driver by applying specific kernel patches that eliminate the invalid skb access after transmission to VIOS.
Enables identification of systems affected by CVE-2025-21855 through vulnerability scanning of kernel versions using the ibmvnic driver.
Implements memory safeguards that mitigate use-after-free risks by restricting unauthorized memory access in kernel drivers like ibmvnic.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in Linux kernel driver enables arbitrary code execution for privilege escalation from low-privileged user.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb. It is…
more
invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 <...> Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224 ==================================================================
Deeper analysisAI
CVE-2025-21855 is a use-after-free vulnerability in the ibmvnic driver within the Linux kernel. The issue arises because, after successfully flushing a transmit buffer to the VIOS (Virtual I/O Server), the driver increments the tx_bytes statistic by accessing the skb->len field. This access is invalid since the VIOS can trigger an interrupt at any point afterward to free the skb memory, creating a race condition—particularly during low-power mode (LPM)—that leads to a slab-use-after-free, as evidenced by KASAN reports in ibmvnic_xmit.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution, data corruption, or system crashes via the use-after-free (CWE-416), with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Mitigation involves applying kernel patches from the referenced stable commits, including 093b0e5c9059, 25dddd01dcc8, 501ac6a7e21b, abaff2717470, and bdf5d13aa05e, which resolve the invalid skb reference after sending to VIOS. Security practitioners should update affected Linux kernels, particularly those using the ibmvnic driver on IBM Power systems.
Details
- CWE(s)