CVE-2025-22107
📋 TL;DR
This CVE describes an out-of-bounds memory access vulnerability in the Linux kernel's SJA1105 DSA driver. When deleting table entries, the driver incorrectly accesses memory beyond array bounds, potentially causing kernel crashes or information disclosure. Systems using the affected SJA1105 Ethernet switch driver are vulnerable.
💻 Affected Systems
- Linux kernel with sja1105 DSA driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, or potential information disclosure from unmapped memory pages.
Likely Case
System instability or kernel crashes when network operations trigger the vulnerable code path.
If Mitigated
Minor performance impact or no noticeable effect if the vulnerable code path isn't triggered.
🎯 Exploit Status
Exploitation requires triggering the specific table deletion operation in the sja1105 driver, which may require local access or specific network operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in kernel commits referenced in CVE (031e00249e9e6bee72ba66701c8f83b45fc4b8a2 and others)
Vendor Advisory: https://git.kernel.org/stable/c/031e00249e9e6bee72ba66701c8f83b45fc4b8a2
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load patched kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable sja1105 driver
linuxPrevent loading of vulnerable sja1105 DSA driver module
echo 'blacklist sja1105' >> /etc/modprobe.d/blacklist.conf
rmmod sja1105
🧯 If You Can't Patch
- Restrict access to systems using sja1105 driver to trusted users only
- Monitor systems for kernel crashes or instability related to network operations
🔍 How to Verify
Check if Vulnerable:
Check if sja1105 driver is loaded: lsmod | grep sja1105. If loaded and kernel version is unpatched, system is vulnerable.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or check that sja1105 driver version is patched.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- Out-of-bounds access warnings in kernel logs
- System crashes during network operations
Network Indicators:
- Unusual network behavior on systems using sja1105 switches
SIEM Query:
source="kernel" AND ("panic" OR "out-of-bounds" OR "sja1105")🔗 References
- https://git.kernel.org/stable/c/031e00249e9e6bee72ba66701c8f83b45fc4b8a2
- https://git.kernel.org/stable/c/4584486cfcca24b7b586da3377eb3cffd48669ec
- https://git.kernel.org/stable/c/59b97641de03c081f26b3a8876628c765b5faa25
- https://git.kernel.org/stable/c/5f2b28b79d2d1946ee36ad8b3dc0066f73c90481
- https://git.kernel.org/stable/c/b52153da1f42e2f4d6259257a7ba027331671a93
