CVE-2025-22101
📋 TL;DR
A vulnerability in the Linux kernel's libwx networking module causes Tx ring hangs when non-TCP/UDP/SCTP packets are sent with Tx checksum offload enabled. This affects systems using the libwx module for network operations, potentially causing denial of service. The vulnerability is present in Linux kernel versions before the fix.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Complete network interface failure leading to denial of service on affected systems, requiring system reboot to restore functionality.
Likely Case
Network performance degradation or intermittent connectivity issues when specific packet types trigger the bug.
If Mitigated
Minimal impact if systems don't use the affected libwx module or have workarounds in place.
🎯 Exploit Status
Exploitation requires sending specific packet types to trigger the bug, but no public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 5f583e059eced1857f41e221ef5951e029e632bd, 6d56ea133adf0389b216ba6e47f7f35e95776713, c7d82913d5f9e97860772ee4051eaa66b56a6273
Vendor Advisory: https://git.kernel.org/stable/c/5f583e059eced1857f41e221ef5951e029e632bd
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable libwx module
linuxPrevent loading of the vulnerable libwx kernel module
echo 'blacklist libwx' >> /etc/modprobe.d/blacklist.conf
rmmod libwx
Disable Tx checksum offload
linuxDisable hardware checksum offload for affected interfaces
ethtool -K <interface> tx off
🧯 If You Can't Patch
- Implement network filtering to block non-TCP/UDP/SCTP traffic to affected systems
- Monitor systems for network interface hangs and have reboot procedures ready
🔍 How to Verify
Check if Vulnerable:
Check if libwx module is loaded: lsmod | grep libwx. Check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version after update and ensure libwx module functions without Tx ring hangs.📡 Detection & Monitoring
Log Indicators:
- Kernel logs showing network interface errors
- System logs indicating network connectivity loss
Network Indicators:
- Sudden drop in network traffic from affected systems
- Increased packet loss on specific interfaces
SIEM Query:
source="kernel" AND ("libwx" OR "Tx ring" OR "checksum offload")