CVE-2025-21919

HIGH EPSS 8.4%
Published Apr 1, 20251y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 1, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data. The issue arises in list_add_leaf_cfs_rq, where both cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list. This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main conditional in child_cfs_rq_on_list. This ensures that the container_of operation will convert a correct cfs_rq struct. This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough. Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
8.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 10

VendorProductVersionRange
linuxlinux_kernel*≥5.13  –  <5.15.179
linuxlinux_kernel*≥5.16  –  <6.1.131
linuxlinux_kernel*≥6.2  –  <6.6.83
linuxlinux_kernel*≥6.7  –  <6.12.19
linuxlinux_kernel*≥6.13  –  <6.13.7
linuxlinux_kernel6.14any
linuxlinux_kernel6.14any
linuxlinux_kernel6.14any
linuxlinux_kernel6.14any
linuxlinux_kernel6.14any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/000c9ee43928f2ce68a156dd40bab7616256f4dd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3b4035ddbfc8e4521f85569998a7569668cccf51
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5cb300dcdd27e6a351ac02541e0231261c775852
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9cc7f0018609f75a349e42e3aebc3b0e905ba775
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b5741e4b9ef3567613b2351384f91d3f16e59986
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e1dd09df30ba86716cb2ffab97dc35195c01eb8f
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/000c9ee43928f2ce68a156dd40bab7616256f4dd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3b4035ddbfc8e4521f85569998a7569668cccf51
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5cb300dcdd27e6a351ac02541e0231261c775852
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9cc7f0018609f75a349e42e3aebc3b0e905ba775
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b5741e4b9ef3567613b2351384f91d3f16e59986
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e1dd09df30ba86716cb2ffab97dc35195c01eb8f
    Patch