CVE-2025-21852 – A NULL pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2025-21852?

CVE-2025-21852 has a CVSS score of 5.5 (MEDIUM). A NULL pointer dereference vulnerability in the Linux kernel's BPF subsystem allows unprivileged BPF programs to crash the kernel when accessing the rx_sk field in trace_kfree_skb without proper NULL checks. This affects systems running vulnerable Linux kernel versions with BPF tracing enabled. The vulnerability can lead to denial of service.

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's BPF subsystem allows unprivileged BPF programs to crash the kernel when accessing the rx_sk field in trace_kfree_skb without proper NULL checks. This affects systems running vulnerable Linux kernel versions with BPF tracing enabled. The vulnerability can lead to denial of service.

💻 Affected Systems

Products:

Linux Kernel

Versions: Kernel versions between commit c53795d48ee8 and the fix commits (specific version ranges depend on distribution backports)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if BPF programs use trace_kfree_skb without proper NULL pointer validation for the rx_sk parameter. Requires CAP_BPF capability to load BPF programs.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.

🟠

Likely Case

System crash or kernel panic when a malicious or buggy BPF program attempts to dereference the NULL rx_sk pointer.

🟢

If Mitigated

No impact if BPF programs properly validate pointers or if the system is patched.

🌐 Internet-Facing: LOW - Requires local BPF program execution, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local users or processes with CAP_BPF capability can trigger the crash.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to load BPF programs (CAP_BPF). The vulnerability was discovered through code analysis and reported responsibly.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits: 4dba79c1e7aad6620bbb707b6c4459380fd90860, 5da7e15fb5a12e78de974d8908f348e279922ce9, f579afacd0a66971fc8481f30d2d377e230a8342

Vendor Advisory: https://git.kernel.org/stable/c/4dba79c1e7aad6620bbb707b6c4459380fd90860

Restart Required: Yes

Instructions:

1. Update to a kernel version containing the fix commits. 2. Check your distribution's security advisories for backported patches. 3. Reboot the system after kernel update.

🔧 Temporary Workarounds

Restrict BPF program loading

linux

Limit which users can load BPF programs by restricting CAP_BPF capability

sysctl -w kernel.unprivileged_bpf_disabled=1
Use Linux Security Modules (LSM) like SELinux or AppArmor to restrict BPF

Disable BPF tracing

linux

Prevent loading of BPF programs that use trace_kfree_skb

echo 0 > /proc/sys/kernel/bpf_stats_enabled
Remove BPF program loading permissions from users

🧯 If You Can't Patch

Implement strict BPF program validation policies
Monitor for kernel crashes and investigate any BPF program loading attempts

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if it includes the vulnerable commit c53795d48ee8 without the fix commits

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commits 4dba79c1e7aad6620bbb707b6c4459380fd90860 or later

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
NULL pointer dereference errors in dmesg
BPF program load failures

Network Indicators:

None - this is a local vulnerability

SIEM Query:

source="kernel" AND ("NULL pointer dereference" OR "kfree_skb" OR "BPF")

📊 Metadata

CVE ID: CVE-2025-21852

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.03% exploit probability (7.9th percentile)

Published: March 12, 2025

Last Updated: October 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21852, you might also want to check these: