Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-21653

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
19/01/2025
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute<br /> <br /> syzbot found that TCA_FLOW_RSHIFT attribute was not validated.<br /> Right shitfing a 32bit integer is undefined for large shift values.<br /> <br /> UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23<br /> shift exponent 9445 is too large for 32-bit type &amp;#39;u32&amp;#39; (aka &amp;#39;unsigned int&amp;#39;)<br /> CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> Workqueue: ipv6_addrconf addrconf_dad_work<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> ubsan_epilogue lib/ubsan.c:231 [inline]<br /> __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468<br /> flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329<br /> tc_classify include/net/tc_wrapper.h:197 [inline]<br /> __tcf_classify net/sched/cls_api.c:1771 [inline]<br /> tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867<br /> sfb_classify net/sched/sch_sfb.c:260 [inline]<br /> sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318<br /> dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793<br /> __dev_xmit_skb net/core/dev.c:3889 [inline]<br /> __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400<br /> dev_queue_xmit include/linux/netdevice.h:3168 [inline]<br /> neigh_hh_output include/net/neighbour.h:523 [inline]<br /> neigh_output include/net/neighbour.h:537 [inline]<br /> ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236<br /> iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82<br /> udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173<br /> geneve_xmit_skb drivers/net/geneve.c:916 [inline]<br /> geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039<br /> __netdev_start_xmit include/linux/netdevice.h:5002 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:5011 [inline]<br /> xmit_one net/core/dev.c:3590 [inline]<br /> dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606<br /> __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.25 (including) 5.4.290 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.234 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.177 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.125 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.72 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.10 (excluding)
cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools