CVE-2025-21883
Published: 27 March 2025
Summary
CVE-2025-21883 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the kernel's ice driver to remediate the use-after-free vulnerability exposed during VF error path deinitialization.
Enforces secure baseline configuration settings for the ice driver, such as disabling SR-IOV virtual functions unless required, preventing exploitation via sysfs toggling.
Implements kernel memory protections like KASLR and guard pages that hinder successful exploitation of the use-after-free leading to list corruption.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in kernel driver enables exploitation for privilege escalation (T1068) or denial of service via kernel panic/memory corruption (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ice: Fix deinitializing VF in error path If ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees all VFs without removing them from snapshot PF-VF mailbox list, leading to list corruption. Reproducer:…
more
devlink dev eswitch set $PF1_PCI mode switchdev ip l s $PF1 up ip l s $PF1 promisc on sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs Trace (minimized): list_add corruption. next->prev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330). kernel BUG at lib/list_debug.c:29! RIP: 0010:__list_add_valid_or_report+0xa6/0x100 ice_mbx_init_vf_info+0xa7/0x180 [ice] ice_initialize_vf_entry+0x1fa/0x250 [ice] ice_sriov_configure+0x8d7/0x1520 [ice] ? __percpu_ref_switch_mode+0x1b1/0x5d0 ? __pfx_ice_sriov_configure+0x10/0x10 [ice] Sometimes a KASAN report can be seen instead with a similar stack trace: BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100 VFs are added to this list in ice_mbx_init_vf_info(), but only removed in ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is also being called in other places where VFs are being removed (including ice_free_vfs() itself).
Deeper analysisAI
CVE-2025-21883 is a use-after-free vulnerability (CWE-416) in the Linux kernel's ice driver, which handles Intel Ethernet controllers supporting SR-IOV. The issue occurs during VF deinitialization in the error path of ice_ena_vfs(): if it fails after ice_create_vf_entries(), the function frees all VFs without removing them from the snapshot PF-VF mailbox list, resulting in list corruption. This can trigger a kernel BUG in list_add or a KASAN-reported use-after-free, as seen in stack traces from ice_mbx_init_vf_info and ice_sriov_configure. The vulnerability carries a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this by reproducing the failure scenario, such as configuring the physical function (PF) with devlink dev eswitch set to switchdev mode, enabling the interface with ip link set up and promiscuous mode, then toggling SR-IOV VFs via /sys/class/net/$PF/device/sriov_numvfs. This triggers the faulty error path during VF creation, leading to list corruption or use-after-free in VF initialization. Successful exploitation can cause kernel panics or memory corruption, potentially enabling privilege escalation, data tampering, or denial of service given the high confidentiality, integrity, and availability impacts.
Mitigation requires applying upstream kernel patches from the referenced stable commits, which move VF removal from the PF-VF mailbox list to ice_free_vf_entries()—a function already called in other VF removal paths, including ice_free_vfs(). Relevant patches include commits 34393fd78d71, 3c01102bec95, 79990cf5e7ad, and a4880583f88d, available at git.kernel.org/stable. Security practitioners should update affected Linux distributions' kernels supporting ice driver SR-IOV configurations as soon as patches propagate.
Details
- CWE(s)