Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-21720

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
27/02/2025
Last modified:
23/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: delete intermediate secpath entry in packet offload mode<br /> <br /> Packets handled by hardware have added secpath as a way to inform XFRM<br /> core code that this path was already handled. That secpath is not needed<br /> at all after policy is checked and it is removed later in the stack.<br /> <br /> However, in the case of IP forwarding is enabled (/proc/sys/net/ipv4/ip_forward),<br /> that secpath is not removed and packets which already were handled are reentered<br /> to the driver TX path with xfrm_offload set.<br /> <br /> The following kernel panic is observed in mlx5 in such case:<br /> <br /> mlx5_core 0000:04:00.0 enp4s0f0np0: Link up<br /> mlx5_core 0000:04:00.1 enp4s0f1np1: Link up<br /> Initializing XFRM netlink socket<br /> IPsec XFRM device driver<br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> #PF: supervisor instruction fetch in kernel mode<br /> #PF: error_code(0x0010) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0010 [#1] PREEMPT SMP<br /> CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc1-alex #3<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014<br /> RIP: 0010:0x0<br /> Code: Unable to access opcode bytes at 0xffffffffffffffd6.<br /> RSP: 0018:ffffb87380003800 EFLAGS: 00010206<br /> RAX: ffff8df004e02600 RBX: ffffb873800038d8 RCX: 00000000ffff98cf<br /> RDX: ffff8df00733e108 RSI: ffff8df00521fb80 RDI: ffff8df001661f00<br /> RBP: ffffb87380003850 R08: ffff8df013980000 R09: 0000000000000010<br /> R10: 0000000000000002 R11: 0000000000000002 R12: ffff8df001661f00<br /> R13: ffff8df00521fb80 R14: ffff8df00733e108 R15: ffff8df011faf04e<br /> FS: 0000000000000000(0000) GS:ffff8df46b800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffffffffffffd6 CR3: 0000000106384000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> ? show_regs+0x63/0x70<br /> ? __die_body+0x20/0x60<br /> ? __die+0x2b/0x40<br /> ? page_fault_oops+0x15c/0x550<br /> ? do_user_addr_fault+0x3ed/0x870<br /> ? exc_page_fault+0x7f/0x190<br /> ? asm_exc_page_fault+0x27/0x30<br /> mlx5e_ipsec_handle_tx_skb+0xe7/0x2f0 [mlx5_core]<br /> mlx5e_xmit+0x58e/0x1980 [mlx5_core]<br /> ? __fib_lookup+0x6a/0xb0<br /> dev_hard_start_xmit+0x82/0x1d0<br /> sch_direct_xmit+0xfe/0x390<br /> __dev_queue_xmit+0x6d8/0xee0<br /> ? __fib_lookup+0x6a/0xb0<br /> ? internal_add_timer+0x48/0x70<br /> ? mod_timer+0xe2/0x2b0<br /> neigh_resolve_output+0x115/0x1b0<br /> __neigh_update+0x26a/0xc50<br /> neigh_update+0x14/0x20<br /> arp_process+0x2cb/0x8e0<br /> ? __napi_build_skb+0x5e/0x70<br /> arp_rcv+0x11e/0x1c0<br /> ? dev_gro_receive+0x574/0x820<br /> __netif_receive_skb_list_core+0x1cf/0x1f0<br /> netif_receive_skb_list_internal+0x183/0x2a0<br /> napi_complete_done+0x76/0x1c0<br /> mlx5e_napi_poll+0x234/0x7a0 [mlx5_core]<br /> __napi_poll+0x2d/0x1f0<br /> net_rx_action+0x1a6/0x370<br /> ? atomic_notifier_call_chain+0x3b/0x50<br /> ? irq_int_handler+0x15/0x20 [mlx5_core]<br /> handle_softirqs+0xb9/0x2f0<br /> ? handle_irq_event+0x44/0x60<br /> irq_exit_rcu+0xdb/0x100<br /> common_interrupt+0x98/0xc0<br /> <br /> <br /> asm_common_interrupt+0x27/0x40<br /> RIP: 0010:pv_native_safe_halt+0xb/0x10<br /> Code: 09 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 22<br /> 0f 1f 84 00 00 00 00 00 90 eb 07 0f 00 2d 7f e9 36 00 fb<br /> 40 00 83 ff 07 77 21 89 ff ff 24 fd 88 3d a1 bd 0f 21 f8<br /> RSP: 0018:ffffffffbe603de8 EFLAGS: 00000202<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000f92f46680<br /> RDX: 0000000000000037 RSI: 00000000ffffffff RDI: 00000000000518d4<br /> RBP: ffffffffbe603df0 R08: 000000cd42e4dffb R09: ffffffffbe603d70<br /> R10: 0000004d80d62680 R11: 0000000000000001 R12: ffffffffbe60bf40<br /> R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffbe60aff8<br /> ? default_idle+0x9/0x20<br /> arch_cpu_idle+0x9/0x10<br /> default_idle_call+0x29/0xf0<br /> do_idle+0x1f2/0x240<br /> cpu_startup_entry+0x2c/0x30<br /> rest_init+0xe7/0x100<br /> start_kernel+0x76b/0xb90<br /> x86_64_start_reservations+0x18/0x30<br /> x86_64_start_kernel+0xc0/0x110<br /> ? setup_ghcb+0xe/0x130<br /> common_startup_64+0x13e/0x141<br /> <br /> Modules linked in: esp4_offload esp4 xfrm_interface<br /> xfrm6_tunnel tunnel4 tunnel6 xfrm_user xfrm_algo binf<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.76 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.13 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools