CVE-2025-21653

MEDIUM EPSS 11.2%
Published Jan 19, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jan 19, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute syzbot found that TCA_FLOW_RSHIFT attribute was not validated. Right shitfing a 32bit integer is undefined for large shift values. UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23 shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1771 [inline] tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 sfb_classify net/sched/sch_sfb.c:260 [inline] sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 __dev_xmit_skb net/core/dev.c:3889 [inline] __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 geneve_xmit_skb drivers/net/geneve.c:916 [inline] geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
11.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥2.6.25  –  <5.4.290
linuxlinux_kernel*≥5.5  –  <5.10.234
linuxlinux_kernel*≥5.11  –  <5.15.177
linuxlinux_kernel*≥5.16  –  <6.1.125
linuxlinux_kernel*≥6.2  –  <6.6.72
linuxlinux_kernel*≥6.7  –  <6.12.10
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any

References 11

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-265688.html
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-503939.html
  • git.kernel.org https://git.kernel.org/stable/c/2011749ca96460386844dfc7e0fde53ebee96f3c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/43658e4a5f2770ad94e93362885ff51c10cf3179
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6fde663f7321418996645ee602a473457640542f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9858f4afeb2e59506e714176bd3e135539a3eeec
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a039e54397c6a75b713b9ce7894a62e06956aa92
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a313d6e6d5f3a631cae5a241c392c28868aa5c5e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e54beb9aed2a90dddf4c5d68fcfc9a01f3e40a61
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2011749ca96460386844dfc7e0fde53ebee96f3c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/43658e4a5f2770ad94e93362885ff51c10cf3179
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6fde663f7321418996645ee602a473457640542f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9858f4afeb2e59506e714176bd3e135539a3eeec
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a039e54397c6a75b713b9ce7894a62e06956aa92
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a313d6e6d5f3a631cae5a241c392c28868aa5c5e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e54beb9aed2a90dddf4c5d68fcfc9a01f3e40a61
    Patch