CVE-2025-21716 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
vxlan: Fix uninit-value in vxlan_vnifilter_dump()
KMSAN reported an uninit-value access in vxlan_vnifilter_dump() [1].
If the length of the netlink message payload is less than sizeof(struct tunnel_msg), vxlan_vnifilter_dump() accesses bytes beyond the message. This can lead to uninit-value access. Fix this by returning an error in such situations.
[1]
BUG: KMSAN: uninit-value in vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6786 netlink_dump+0x93e/0x15f0 net/netlink/af_netlink.c:2317 __netlink_dump_start+0x716/0xd60 net/netlink/af_netlink.c:2432 netlink_dump_start include/linux/netlink.h:340 [inline]
rtnetlink_dump_start net/core/rtnetlink.c:6815 [inline]
rtnetlink_rcv_msg+0x1256/0x14a0 net/core/rtnetlink.c:6882 netlink_rcv_skb+0x467/0x660 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x35/0x40 net/core/rtnetlink.c:6944 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]
netlink_unicast+0xed6/0x1290 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x1092/0x1230 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline]
__do_sys_sendmsg net/socket.c:2674 [inline]
__se_sys_sendmsg net/socket.c:2672 [inline]
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at: slab_post_alloc_hook mm/slub.c:4110 [inline]
slab_alloc_node mm/slub.c:4153 [inline]
kmem_cache_alloc_node_noprof+0x800/0xe80 mm/slub.c:4205 kmalloc_reserve+0x13b/0x4b0 net/core/skbuff.c:587 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1323 [inline]
netlink_alloc_large_skb+0xa5/0x280 net/netlink/af_netlink.c:1196 netlink_sendmsg+0xac9/0x1230 net/netlink/af_netlink.c:1866 sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline]
__do_sys_sendmsg net/socket.c:2674 [inline]
__se_sys_sendmsg net/socket.c:2672 [inline]
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 0 UID: 0 PID: 30991 Comm: syz.4.10630 Not tainted 6.12.0-10694-gc44daa7e3c73 #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/25/2026
The vulnerability identified as CVE-2025-21716 resides within the Linux kernel's VXLAN implementation, specifically in the vxlan_vnifilter_dump() function located in drivers/net/vxlan/vxlan_vnifilter.c. This flaw manifests as an uninitialized value access reported by KMSAN (Kernel Memory Sanitizer), indicating a potential security risk that could be exploited to gain unauthorized access or cause system instability. The issue occurs when processing netlink messages with payloads shorter than the expected struct tunnel_msg size, leading to memory access beyond the allocated buffer boundaries.
The technical root cause involves improper validation of message length before accessing message payload data. When the length of incoming netlink messages is insufficient to contain a complete struct tunnel_msg, the function attempts to read uninitialized memory regions, potentially exposing sensitive kernel data or causing unpredictable behavior. This uninitialized memory access pattern aligns with CWE-457: Use of Uninitialized Variable, which is a common class of vulnerabilities in kernel space programming where variables are used without proper initialization. The vulnerability is triggered during netlink dump operations, specifically when handling rtnetlink messages through the netlink dump infrastructure.
The operational impact of this vulnerability extends beyond simple memory corruption, as it can be leveraged to potentially extract kernel memory contents or cause denial of service conditions. Attackers could craft malicious netlink messages with intentionally short payloads to trigger the uninitialized value access, which may result in information disclosure or system crashes. The vulnerability affects systems utilizing VXLAN (Virtual eXtensible Local Area Network) functionality, particularly those employing netlink interfaces for network configuration and monitoring. The attack surface is broadened by the fact that this occurs in kernel space, meaning successful exploitation could lead to privilege escalation or complete system compromise. The KMSAN stack trace indicates the vulnerability originates from the netlink subsystem and propagates through the rtnetlink dump mechanism, making it accessible through standard network management interfaces.
Mitigation strategies for this vulnerability involve implementing proper input validation within the vxlan_vnifilter_dump() function to ensure message lengths meet minimum requirements before accessing payload data. The fix should return an error code when message lengths are insufficient, preventing the uninitialized memory access. System administrators should ensure their kernel versions are updated to include the patched implementation, which addresses the core issue by validating message sizes against expected structures. Additionally, monitoring and logging of netlink message processing can help detect anomalous behavior that might indicate exploitation attempts. Organizations should also consider implementing network segmentation and access controls to limit exposure to potentially malicious netlink communications. The vulnerability demonstrates the importance of robust input validation in kernel space code and aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation, where memory corruption vulnerabilities can be leveraged to gain elevated privileges. Regular kernel updates and security auditing of network subsystems remain critical defensive measures against similar classes of vulnerabilities.