CVE-2025-21760 in Linuxinfo

Summary

by MITRE • 02/27/2025

In the Linux kernel, the following vulnerability has been resolved:

ndisc: extend RCU protection in ndisc_send_skb()

ndisc_send_skb() can be called without RTNL or RCU held.

Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu() and avoid a potential UAF.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/25/2026

The vulnerability identified as CVE-2025-21760 resides within the Linux kernel's neighbor discovery implementation, specifically affecting the ndisc_send_skb() function. This issue represents a race condition that could potentially lead to a use-after-free condition, making it a critical concern for system security and stability. The problem manifests in the network stack's handling of IPv6 neighbor discovery messages, where improper locking mechanisms leave the system vulnerable to memory corruption attacks.

The technical flaw occurs when ndisc_send_skb() is invoked without proper RCU (Read-Copy-Update) locking mechanisms being in place. The function can be called without holding either the RTNL (Routing Netlink) lock or RCU lock, which creates a window where the network device context might be freed while the function is still accessing it. This improper synchronization allows for a scenario where dev_net_rcu() is called on a potentially freed network device structure, leading to a use-after-free condition that could be exploited by malicious actors.

From an operational impact perspective, this vulnerability could enable attackers to cause system instability through kernel memory corruption, potentially leading to denial of service conditions or privilege escalation. The vulnerability affects systems running Linux kernels that implement IPv6 neighbor discovery functionality, which is prevalent across most modern Linux distributions. The use-after-free condition creates opportunities for exploitation through carefully crafted network traffic that triggers the vulnerable code path, making it particularly dangerous in network-facing systems.

The recommended mitigation strategy involves applying the kernel patch that ensures rcu_read_lock() is acquired earlier in the ndisc_send_skb() function execution flow. This change enables proper RCU protection and allows safe usage of dev_net_rcu() by ensuring that network device contexts remain valid during function execution. Organizations should prioritize updating their Linux kernel versions to include this fix, particularly in environments where IPv6 neighbor discovery is actively used. The fix aligns with CWE-416, which addresses use-after-free vulnerabilities, and corresponds to techniques documented in the ATT&CK framework under privilege escalation and denial of service tactics. System administrators should also consider implementing network monitoring to detect potential exploitation attempts targeting this specific vulnerability.

Responsible

Linux

Reservation

12/29/2024

Disclosure

02/27/2025

Moderation

accepted

CPE

ready

EPSS

0.09117

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!