CVE-2025-21701

{"id": "CVE-2025-21701", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.4}]}, "published": "2025-02-13T15:15:20.867", "references": [{"url": "https://git.kernel.org/stable/c/12e070eb6964b341b41677fd260af5a305316a1f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/26bc6076798aa4dc83a07d0a386f9e57c94e8517", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2f29127e94ae9fdc7497331003d6860e9551cdf3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4dc880245f9b529fa8f476b5553c799d2848b47b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b1cb37a31a482df3dd35a6ac166282dac47664f4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b382ab9b885cbb665e0e70a727f101c981b4edf3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid race between device unregistration and ethnl ops\n\nThe following trace can be seen if a device is being unregistered while\nits number of channels are being modified.\n\n DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120\n CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771\n RIP: 0010:__mutex_lock+0xc8a/0x1120\n Call Trace:\n <TASK>\n ethtool_check_max_channel+0x1ea/0x880\n ethnl_set_channels+0x3c3/0xb10\n ethnl_default_set_doit+0x306/0x650\n genl_family_rcv_msg_doit+0x1e3/0x2c0\n genl_rcv_msg+0x432/0x6f0\n netlink_rcv_skb+0x13d/0x3b0\n genl_rcv+0x28/0x40\n netlink_unicast+0x42e/0x720\n netlink_sendmsg+0x765/0xc20\n __sys_sendto+0x3ac/0x420\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x95/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis is because unregister_netdevice_many_notify might run before the\nrtnl lock section of ethnl operations, eg. set_channels in the above\nexample. In this example the rss lock would be destroyed by the device\nunregistration path before being used again, but in general running\nethnl operations while dismantle has started is not a good idea.\n\nFix this by denying any operation on devices being unregistered. A check\nwas already there in ethnl_ops_begin, but not wide enough.\n\nNote that the same issue cannot be seen on the ioctl version\n(__dev_ethtool) because the device reference is retrieved from within\nthe rtnl lock section there. Once dismantle started, the net device is\nunlisted and no reference will be found."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: evitar la ejecuci\u00f3n entre la anulaci\u00f3n del registro del dispositivo y las operaciones ethnl. El siguiente rastro se puede ver si se anula el registro de un dispositivo mientras se modifica su n\u00famero de canales. DEBUG_LOCKS_WARN_ON(lock-&gt;magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e. Esto se debe a que unregister_netdevice_many_notify podr\u00eda ejecutarse antes de la secci\u00f3n de bloqueo rtnl de las operaciones ethnl, por ejemplo, set_channels en el ejemplo anterior. En este ejemplo, el bloqueo de rss se destruir\u00eda por la ruta de anulaci\u00f3n del registro del dispositivo antes de volver a usarse, pero en general, ejecutar operaciones ethnl mientras se ha iniciado el desmantelamiento no es una buena idea. Solucione esto denegando cualquier operaci\u00f3n en los dispositivos que se van a anular el registro. Ya hab\u00eda una comprobaci\u00f3n en ethnl_ops_begin, pero no lo suficientemente amplia. Tenga en cuenta que no se puede ver el mismo problema en la versi\u00f3n ioctl (__dev_ethtool) porque la referencia del dispositivo se recupera desde dentro de la secci\u00f3n de bloqueo rtnl all\u00ed. Una vez que se inicia el desmantelamiento, el dispositivo de red no aparece en la lista y no se encontrar\u00e1 ninguna referencia."}], "lastModified": "2025-09-02T20:15:33.237", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}