CVE-2025-21671
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's zram compressed memory driver. If zram device initialization fails, the kernel may later access freed memory when resetting the device, potentially leading to kernel crashes or privilege escalation. This affects all Linux systems using zram functionality.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, or local privilege escalation allowing attackers to gain root access and compromise the entire system.
Likely Case
Kernel crash causing system instability or denial of service, requiring reboot to restore functionality.
If Mitigated
System remains stable with no impact if zram is not used or if the vulnerable code path is not triggered.
🎯 Exploit Status
Exploitation requires local access and ability to trigger zram device initialization failure followed by reset operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in stable kernel versions via commits referenced in CVE
Vendor Advisory: https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. For Debian systems: apt update && apt upgrade linux-image-*. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable zram module
LinuxPrevent loading of zram kernel module to avoid vulnerable code path
echo 'blacklist zram' > /etc/modprobe.d/blacklist-zram.conf
rmmod zram
update-initramfs -u
🧯 If You Can't Patch
- Ensure zram module is not loaded (check with lsmod | grep zram)
- Restrict local user access to systems where zram is enabled
🔍 How to Verify
Check if Vulnerable:
Check if zram module is loaded: lsmod | grep zram. If loaded, check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version after update and ensure zram module loads without errors during device operations.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- OOM killer activity related to zram
- System crash/reboot events
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("panic" OR "Oops" OR "BUG") AND "zram"🔗 References
- https://git.kernel.org/stable/c/212fe1c0df4a150fb6298db2cfff267ceaba5402
- https://git.kernel.org/stable/c/571d3f6045cd3a6d9f6aec33b678f3ffe97582ef
- https://git.kernel.org/stable/c/902ef8f16d5ca77edc77c30656be54186c1e99b7
- https://git.kernel.org/stable/c/fe3de867f94819ba0f28e035c0b0182150147d95
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
