CVE-2025-21867

EUVD-2025-8435
In the Linux kernel, the following vulnerability has been resolved:

bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()

KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The
cause of the issue was that eth_skb_pkt_type() accessed skb's data
that didn't contain an Ethernet header. This occurs when
bpf_prog_test_run_xdp() passes an invalid value as the user_data
argument to bpf_test_init().

Fix this by returning an error when user_data is less than ETH_HLEN in
bpf_test_init(). Additionally, remove the check for "if (user_size >
size)" as it is unnecessary.

[1]
BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
 eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
 eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
 __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635
 xdp_recv_frames net/bpf/test_run.c:272 [inline]
 xdp_test_run_batch net/bpf/test_run.c:361 [inline]
 bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390
 bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318
 bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371
 __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777
 __do_sys_bpf kernel/bpf/syscall.c:5866 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5864 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864
 x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 free_pages_prepare mm/page_alloc.c:1056 [inline]
 free_unref_page+0x156/0x1320 mm/page_alloc.c:2657
 __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838
 bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline]
 ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235
 bpf_map_free kernel/bpf/syscall.c:838 [inline]
 bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310
 worker_thread+0xedf/0x1550 kernel/workqueue.c:3391
 kthread+0x535/0x6b0 kernel/kthread.c:389
 ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
5.18 ≤
𝑥
< 6.1.130
linuxlinux_kernel
6.2 ≤
𝑥
< 6.6.80
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.17
linuxlinux_kernel
6.13 ≤
𝑥
< 6.13.5
linuxlinux_kernel
6.14:rc1
linuxlinux_kernel
6.14:rc2
linuxlinux_kernel
6.14:rc3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.174-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.257-1
fixed
forky
7.0.10-1
fixed
sid
7.0.10-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.90-2
fixed
linux-6.1
bullseye (security)
6.1.174-1~deb11u1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
kernel-64kb
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.37.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.3.1
fixed
kernel-default
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-default-base
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1.150600.12.22.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1.150700.17.2.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1.150600.12.22.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1.150700.17.2.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1.150600.12.22.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1.150700.17.2.1
fixed
kernel-docs
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-macros
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-obs-build
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-source
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-source-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.37.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.3.1
fixed
kernel-syms
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-syms-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.37.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.3.1
fixed
kernel-zfcpdump
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
bpftool
RHEL 9
0:7.0.0-284.11.1.el9_2
fixed
kernel
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k-debug
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k-debug-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k-debug-devel
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k-debug-devel-matched
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k-debug-modules
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k-debug-modules-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k-debug-modules-extra
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k-devel
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k-devel-matched
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k-modules
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k-modules-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-64k-modules-extra
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-abi-stablelists
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-debug
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-debug-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-debug-devel
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-debug-devel-matched
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-debug-modules
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-debug-modules-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-debug-modules-extra
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-debug-uki-virt
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-devel
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-devel-matched
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-doc
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-modules
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-modules-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-modules-extra
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-64k
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-64k-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-64k-debug
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-64k-debug-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-64k-debug-devel
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-64k-debug-modules
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-64k-debug-modules-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-64k-debug-modules-extra
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-64k-devel
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-64k-modules
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-64k-modules-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-64k-modules-extra
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-debug
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-debug-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-debug-devel
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-debug-kvm
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-debug-modules
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-debug-modules-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-debug-modules-extra
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-devel
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-kvm
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-modules
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-modules-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-rt-modules-extra
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-tools
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-tools-libs
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-tools-libs-devel
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-uki-virt
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-uki-virt-addons
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-zfcpdump
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-zfcpdump-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-zfcpdump-devel
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-zfcpdump-devel-matched
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-zfcpdump-modules
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-zfcpdump-modules-core
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
kernel-zfcpdump-modules-extra
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
libperf
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
perf
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
python3-perf
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
rtla
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
rv
RHEL 9
0:5.14.0-570.35.1.el9_6
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/1a9e1284e87d59b1303b69d1808d310821d6e5f7
https://git.kernel.org/stable/c/6b3d638ca897e099fa99bd6d02189d3176f80a47
https://git.kernel.org/stable/c/972bafed67ca73ad9a56448384281eb5fd5c0ba3
https://git.kernel.org/stable/c/d56d8a23d95100b65f40438639dd82db2af81c11
https://git.kernel.org/stable/c/f615fccfc689cb48977d275ac2e391297b52392b
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html