CVE-2025-21725 in Linuxinfo

Summary

by MITRE • 02/27/2025

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix oops due to unset link speed

It isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always be set by the server, so the client must handle any values and then prevent oopses like below from happening:

Oops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:cifs_debug_data_proc_show+0xa45/0x1460 [cifs] Code: 00 00 48
89 df e8 3b cd 1b c1 41 f6 44 24 2c 04 0f 84 50 01 00 00 48 89 ef e8 e7 d0 1b c1 49 8b 44 24 18 31 d2 49 8d 7c 24 28 f7 74 24 18 48 89 c3 e8 6e cf 1b c1 41 8b 6c 24 28 49 8d 7c 24 RSP: 0018:ffffc90001817be0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811230022c RCX: ffffffffc041bd99 RDX: 0000000000000000 RSI: 0000000000000567 RDI: ffff888112300228 RBP: ffff888112300218 R08: fffff52000302f5f R09: ffffed1022fa58ac R10: ffff888117d2c566 R11: 00000000fffffffe R12: ffff888112300200 R13: 000000012a15343f R14: 0000000000000001 R15: ffff888113f2db58 FS: 00007fe27119e740(0000) GS:ffff888148600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe2633c5000 CR3: 0000000124da0000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0x159/0x1b0 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]
? do_error_trap+0x90/0x130 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]
? exc_divide_error+0x39/0x50 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]
? asm_exc_divide_error+0x1a/0x20 ? cifs_debug_data_proc_show+0xa39/0x1460 [cifs]
? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]
? seq_read_iter+0x42e/0x790 seq_read_iter+0x19a/0x790 proc_reg_read_iter+0xbe/0x110 ? __pfx_proc_reg_read_iter+0x10/0x10 vfs_read+0x469/0x570 ? do_user_addr_fault+0x398/0x760 ? __pfx_vfs_read+0x10/0x10 ? find_held_lock+0x8a/0xa0 ? __pfx_lock_release+0x10/0x10 ksys_read+0xd3/0x170 ? __pfx_ksys_read+0x10/0x10 ? __rcu_read_unlock+0x50/0x270 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe271288911 Code: 00 48 8b 15 01 25 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 20 ad 01 00 f3 0f 1e fa 80 3d b5 a7 10 00 00 74 13 31 c0 0f 05 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec RSP: 002b:00007ffe87c079d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007fe271288911 RDX: 0000000000040000 RSI: 00007fe2633c6000 RDI: 0000000000000003 RBP: 00007ffe87c07a00 R08: 0000000000000000 R09: 00007fe2713e6380 R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000 R13: 00007fe2633c6000 R14: 0000000000000003 R15: 0000000000000000

Fix this by setting cifs_server_iface::speed to a sane value (1Gbps) by default when link speed is unset.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/25/2026

The vulnerability identified as CVE-2025-21725 resides within the Linux kernel's CIFS (Common Internet File System) client implementation, specifically addressing a potential system crash due to an uninitialized network interface link speed value. This issue manifests when the SMB/CIFS client attempts to process network interface information where the LinkSpeed field within NETWORK_INTERFACE_INFO is not guaranteed to be populated by the server. The absence of a valid link speed value leads to a divide error during kernel execution, resulting in a kernel oops and system instability. The root cause lies in the client code's assumption that the LinkSpeed field will always contain a valid value, which is not always true in network environments where servers may omit this information or where network interface details are not fully specified.

The technical flaw occurs during the execution of the cifs_debug_data_proc_show function, which attempts to perform arithmetic operations using an uninitialized or invalid link speed value. This leads to a divide error exception that triggers a kernel oops condition, as evidenced by the stack trace showing the execution path from the debug proc file read operation through the kernel's exception handling mechanisms. The crash occurs because the code does not properly validate or initialize the network interface speed value before attempting to use it in calculations, leading to a division by zero or invalid arithmetic operation. This type of vulnerability aligns with CWE-476, which describes a null pointer dereference or use of uninitialized memory, and can be classified under ATT&CK technique T1489, involving system network configuration modifications that may lead to denial of service conditions.

The operational impact of this vulnerability extends beyond simple system instability, as it can result in complete system crashes and denial of service for network file access operations. When a CIFS client encounters a server that does not provide link speed information, the system becomes unstable and may require a full reboot to recover. This affects enterprise environments where file servers are accessed via SMB/CIFS protocols, potentially disrupting file sharing services and data access. The vulnerability is particularly concerning in virtualized environments or cloud deployments where network interface configurations may vary, and the reliability of server-provided interface information cannot be guaranteed. The fix implemented addresses this by defaulting the cifs_server_iface::speed field to a sane value of 1 Gbps when the link speed is unset, preventing the arithmetic operations that lead to the divide error and ensuring system stability.

The mitigation strategy involves applying the kernel patch that initializes the link speed value to a reasonable default, preventing the crash condition from occurring. This fix ensures that the CIFS client can gracefully handle servers that do not provide complete network interface information, maintaining system stability and preventing denial of service attacks that could exploit this uninitialized memory condition. Organizations should prioritize updating their Linux kernel versions to include this fix, particularly in environments where SMB/CIFS file sharing is heavily utilized. The patch demonstrates a proper defensive programming approach by initializing values before use, which aligns with security best practices outlined in various kernel security guidelines and helps prevent similar issues in other network protocol implementations. This vulnerability highlights the importance of robust error handling in kernel modules and the need for comprehensive validation of network interface information received from external sources.

Responsible

Linux

Reservation

12/29/2024

Disclosure

02/27/2025

Moderation

accepted

CPE

ready

EPSS

0.00171

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!