CVE-2025-21762 in Linuxinfo

Summary

by MITRE • 02/27/2025

In the Linux kernel, the following vulnerability has been resolved:

arp: use RCU protection in arp_xmit()

arp_xmit() can be called without RTNL or RCU protection.

Use RCU protection to avoid potential UAF.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/25/2026

The vulnerability identified as CVE-2025-21762 resides within the Linux kernel's Address Resolution Protocol implementation, specifically in the arp_xmit() function. This issue represents a critical race condition that can lead to use-after-free conditions and potential system compromise. The problem manifests when the arp_xmit() function executes without proper synchronization mechanisms, particularly the absence of both RTNL (Routing Netlink) and RCU (Read-Copy-Update) protection. The function's improper execution context creates opportunities for concurrent access patterns that can corrupt memory structures and potentially allow privilege escalation or system instability.

The technical flaw stems from insufficient kernel locking mechanisms within the arp_xmit() function, which handles the transmission of Address Resolution Protocol packets. When this function operates without RCU protection, it becomes vulnerable to simultaneous access from multiple kernel threads or interrupt contexts. This lack of proper synchronization can result in a use-after-free scenario where memory allocated for ARP structures is freed while still being referenced by concurrent operations. The vulnerability specifically affects the kernel's networking subsystem and can be exploited through network packet processing activities that trigger ARP resolution and transmission.

The operational impact of this vulnerability extends beyond simple memory corruption, as it can enable attackers to manipulate kernel memory structures and potentially gain unauthorized access to system resources. The use-after-free condition creates opportunities for arbitrary code execution, especially when combined with other exploitation techniques. The vulnerability affects systems running affected Linux kernel versions where the ARP subsystem is actively used for network communication. Attackers could leverage this weakness by crafting specific network traffic patterns that trigger the vulnerable code path, potentially leading to privilege escalation or denial of service conditions.

Security mitigations for CVE-2025-21762 should focus on implementing proper RCU protection within the arp_xmit() function as resolved in the patched kernel version. System administrators should prioritize kernel updates to address this vulnerability promptly, as the risk of exploitation increases with active network traffic. The fix involves adding appropriate RCU read-side critical sections around the arp_xmit() function to ensure proper synchronization with concurrent readers and writers. Organizations should also monitor for potential exploitation attempts through network monitoring systems that can detect unusual ARP traffic patterns. This vulnerability aligns with CWE-416, which describes use-after-free errors, and may map to ATT&CK technique T1059 for privilege escalation through kernel exploits. Regular kernel patching and maintaining up-to-date security configurations remain essential defenses against such low-level kernel vulnerabilities that can compromise entire system integrity.

Responsible

Linux

Reservation

12/29/2024

Disclosure

02/27/2025

Moderation

accepted

CPE

ready

EPSS

0.00232

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!