CVE-2025-21809
📋 TL;DR
This CVE describes a potential deadlock vulnerability in the Linux kernel's rxrpc and afs subsystems. The issue occurs when RCU cleanup in BH context attempts to acquire a spinlock that may already be held in non-BH context, potentially causing system hangs. This affects Linux systems using the AFS filesystem or rxrpc protocol.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
System deadlock leading to kernel panic, denial of service, or system instability requiring reboot.
Likely Case
System hangs or performance degradation when AFS filesystem operations or rxrpc protocol operations are active.
If Mitigated
Minor performance impact from lock contention, but no deadlock.
🎯 Exploit Status
This is a race condition requiring specific timing and system configuration. Exploitation would likely cause denial of service rather than privilege escalation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 0e77dd41689637ac4e1b8fe0f27541f373640855, 10ba5a3d57af20e494e0d979d1894260989235dd, 79d458c13056559d49b5e41fbc4b6890e68cf65b
Vendor Advisory: https://git.kernel.org/stable/c/0e77dd41689637ac4e1b8fe0f27541f373640855
Restart Required: Yes
Instructions:
1. Update to a kernel version containing the fix commits. 2. Check with your Linux distribution for backported patches. 3. Reboot the system after kernel update.
🔧 Temporary Workarounds
Disable AFS and rxrpc
linuxIf not needed, disable AFS filesystem support and rxrpc protocol to eliminate vulnerability surface.
modprobe -r kafs
modprobe -r rxrpc
echo 'blacklist kafs' >> /etc/modprobe.d/blacklist.conf
echo 'blacklist rxrpc' >> /etc/modprobe.d/blacklist.conf
🧯 If You Can't Patch
- Monitor system for lock contention warnings in kernel logs
- Consider migrating AFS workloads to alternative filesystems if possible
🔍 How to Verify
Check if Vulnerable:
Check kernel version with 'uname -r' and compare to affected versions. Check if AFS or rxrpc modules are loaded with 'lsmod | grep -E "(kafs|rxrpc)"'.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or is newer than 6.13.0-rc5. Check that lockdep warnings no longer appear in dmesg.📡 Detection & Monitoring
Log Indicators:
- Kernel lockdep warnings mentioning rxrpc_put_peer, peer_hash_lock, or RCU callback deadlock
- System hangs or high CPU usage in kernel threads
Network Indicators:
- Unusual AFS protocol errors or timeouts
SIEM Query:
source="kernel" AND ("lockdep" OR "deadlock" OR "rxrpc" OR "peer_hash_lock")