Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-21852

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
12/03/2025
Last modified:
01/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: Add rx_skb of kfree_skb to raw_tp_null_args[].<br /> <br /> Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0]<br /> in trace_kfree_skb if the prog does not check if rx_sk is NULL.<br /> <br /> Commit c53795d48ee8 ("net: add rx_sk to trace_kfree_skb") added<br /> rx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL.<br /> <br /> Let&amp;#39;s add kfree_skb to raw_tp_null_args[] to let the BPF verifier<br /> validate such a prog and prevent the issue.<br /> <br /> Now we fail to load such a prog:<br /> <br /> libbpf: prog &amp;#39;drop&amp;#39;: -- BEGIN PROG LOAD LOG --<br /> 0: R1=ctx() R10=fp0<br /> ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21<br /> 0: (79) r3 = *(u64 *)(r1 +24)<br /> func &amp;#39;kfree_skb&amp;#39; arg3 has btf_id 5253 type STRUCT &amp;#39;sock&amp;#39;<br /> 1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1)<br /> ; bpf_printk("sk: %d, %d\n", sk, sk-&gt;__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24<br /> 1: (69) r4 = *(u16 *)(r3 +16)<br /> R3 invalid mem access &amp;#39;trusted_ptr_or_null_&amp;#39;<br /> processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0<br /> -- END PROG LOAD LOG --<br /> <br /> Note this fix requires commit 838a10bd2ebf ("bpf: Augment raw_tp<br /> arguments with PTR_MAYBE_NULL").<br /> <br /> [0]:<br /> BUG: kernel NULL pointer dereference, address: 0000000000000010<br /> PF: supervisor read access in kernel mode<br /> PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> PREEMPT SMP<br /> RIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d<br /> Call Trace:<br /> <br /> ? __die+0x1f/0x60<br /> ? page_fault_oops+0x148/0x420<br /> ? search_bpf_extables+0x5b/0x70<br /> ? fixup_exception+0x27/0x2c0<br /> ? exc_page_fault+0x75/0x170<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d<br /> bpf_trace_run4+0x68/0xd0<br /> ? unix_stream_connect+0x1f4/0x6f0<br /> sk_skb_reason_drop+0x90/0x120<br /> unix_stream_connect+0x1f4/0x6f0<br /> __sys_connect+0x7f/0xb0<br /> __x64_sys_connect+0x14/0x20<br /> do_syscall_64+0x47/0xc30<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.11 (including) 6.12.17 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.5 (excluding)
cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools