CVE-2025-21857
📋 TL;DR
This CVE describes a NULL pointer dereference vulnerability in the Linux kernel's net/sched subsystem. The flaw occurs when error handling in tcf_exts_miss_cookie_base_alloc() incorrectly treats a successful allocation as an error, leading to a kernel panic when the NULL pointer is dereferenced. This affects Linux systems using the traffic control (tc) subsystem with flower classifier.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing service disruption and data loss.
Likely Case
System crash or kernel panic when specific traffic control operations are performed, resulting in denial of service.
If Mitigated
No impact if traffic control subsystem is not used or vulnerable code path is not triggered.
🎯 Exploit Status
Requires local access and ability to execute privileged operations. Triggering requires specific tc operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with fixes from provided git commits
Vendor Advisory: https://git.kernel.org/stable/c/071ed42cff4fcdd89025d966d48eabef59913bf2
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing fixes from provided git commits. 2. For RHEL/CentOS: yum update kernel. 3. For Ubuntu/Debian: apt update && apt upgrade linux-image. 4. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable traffic control usage
linuxPrevent use of traffic control subsystem that triggers vulnerable code path
# Monitor and restrict tc command usage
# Implement policy to block CAP_NET_ADMIN for unnecessary users
🧯 If You Can't Patch
- Restrict access to CAP_NET_ADMIN capability to prevent triggering vulnerable code
- Implement monitoring for kernel panic events and tc command usage
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if traffic control is used. Vulnerable if using affected kernel version and tc commands with flower classifier.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated beyond vulnerable versions. Check that tc operations no longer cause kernel panics.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/messages or dmesg
- NULL pointer dereference errors
- Process crashes related to traffic control
Network Indicators:
- Unusual tc command usage patterns
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "kernel panic") AND process="tc"