CVE-2025-21720
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's XFRM subsystem when IP forwarding is enabled with IPsec hardware offload. This causes kernel panic (system crash) when packets with leftover secpath entries are re-processed by network drivers. Affects Linux systems using IPsec hardware acceleration with IP forwarding enabled.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to complete system crash and denial of service, potentially causing data loss and service disruption.
Likely Case
System crash when IP forwarding is enabled with IPsec hardware offload, requiring manual reboot to restore service.
If Mitigated
No impact if IP forwarding is disabled or IPsec hardware offload is not used.
🎯 Exploit Status
Exploitation requires ability to send network traffic that triggers the IPsec offload path with IP forwarding enabled. No authentication needed but requires specific network configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 600258d555f0710b9c47fb78d2d80a4aecd608cc, 6945701ca1572f81bc9bb46f624b02eabb3eaf3e, 981ad4c882096e7375b8c2181dd4c3ee58ea5bae, c6e1b2cac24b2a4d1dd472071021bf00c26450eb
Vendor Advisory: https://git.kernel.org/stable/c/600258d555f0710b9c47fb78d2d80a4aecd608cc
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check with your distribution for backported patches. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable IP forwarding
linuxPrevents the vulnerable code path by disabling packet forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=0
Disable IPsec hardware offload
linuxUse software IPsec instead of hardware acceleration
Check network driver documentation for disabling offload features
🧯 If You Can't Patch
- Disable IP forwarding if not required for system function
- Use software-based IPsec instead of hardware offload
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if IP forwarding is enabled: uname -r && cat /proc/sys/net/ipv4/ip_forwardCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and check system logs for absence of XFRM/offload related crashes📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning mlx5e_ipsec_handle_tx_skb, XFRM, or secpath
- NULL pointer dereference in network driver code
- System crash/reboot logs
Network Indicators:
- Sudden loss of IPsec connectivity
- Network interface resets
SIEM Query:
source="kernel" AND ("XFRM" OR "secpath" OR "mlx5e_ipsec" OR "NULL pointer dereference")