CVE-2025-21806

MEDIUM EPSS 8.5%
Published Feb 27, 20251y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Feb 27, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net: let net.core.dev_weight always be non-zero The following problem was encountered during stability test: (NULL net_device): NAPI poll function process_backlog+0x0/0x530 \ returned 1, exceeding its budget of 0. ------------[ cut here ]------------ list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \ next=ffff88905f746e40. WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \ __list_add_valid_or_report+0xf3/0x130 CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+ RIP: 0010:__list_add_valid_or_report+0xf3/0x130 Call Trace: ? __warn+0xcd/0x250 ? __list_add_valid_or_report+0xf3/0x130 enqueue_to_backlog+0x923/0x1070 netif_rx_internal+0x92/0x2b0 __netif_rx+0x15/0x170 loopback_xmit+0x2ef/0x450 dev_hard_start_xmit+0x103/0x490 __dev_queue_xmit+0xeac/0x1950 ip_finish_output2+0x6cc/0x1620 ip_output+0x161/0x270 ip_push_pending_frames+0x155/0x1a0 raw_sendmsg+0xe13/0x1550 __sys_sendto+0x3bf/0x4e0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x5b/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e The reproduction command is as follows: sysctl -w net.core.dev_weight=0 ping 127.0.0.1 This is because when the napi's weight is set to 0, process_backlog() may return 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing this napi to be re-polled in net_rx_action() until __do_softirq() times out. Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can be retriggered in enqueue_to_backlog(), causing this issue. Making the napi's weight always non-zero solves this problem. Triggering this issue requires system-wide admin (setting is not namespaced).

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
8.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥2.6.13  –  <5.4.291
linuxlinux_kernel*≥5.5  –  <5.10.235
linuxlinux_kernel*≥5.11  –  <5.15.179
linuxlinux_kernel*≥5.16  –  <6.1.129
linuxlinux_kernel*≥6.2  –  <6.6.76
linuxlinux_kernel*≥6.7  –  <6.12.13
linuxlinux_kernel*≥6.13  –  <6.13.2
linuxlinux_kernel2.6.12any

References 12

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-265688.html
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-503939.html
  • git.kernel.org https://git.kernel.org/stable/c/0e2f1d93d287d544d26f8ff293ea820a8079b9f8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1489824e5226a26841c70639ebd2d1aed390764b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/33e2168788f8fb5cb8bd4f36cb1ef37d1d34dada
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5860abbf15eeb61838b5e32e721ba67b0aa84450
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6ce38b5a6a49e65bad163162a54cb3f104c40b48
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c337c08819a4ec49edfdcd8fc46fbee120d8a5b2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d0e0f9c8218826926d7692980c98236d9f21fd3c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d1f9f79fa2af8e3b45cffdeef66e05833480148a
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0e2f1d93d287d544d26f8ff293ea820a8079b9f8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1489824e5226a26841c70639ebd2d1aed390764b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/33e2168788f8fb5cb8bd4f36cb1ef37d1d34dada
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5860abbf15eeb61838b5e32e721ba67b0aa84450
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6ce38b5a6a49e65bad163162a54cb3f104c40b48
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c337c08819a4ec49edfdcd8fc46fbee120d8a5b2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d0e0f9c8218826926d7692980c98236d9f21fd3c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d1f9f79fa2af8e3b45cffdeef66e05833480148a
    Patch