CVE-2025-21790 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
vxlan: check vxlan_vnigroup_init() return value
vxlan_init() must check vxlan_vnigroup_init() success otherwise a crash happens later, spotted by syzbot.
Oops: general protection fault, probably for non-canonical address 0xdffffc000000002c: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000160-0x0000000000000167]
CPU: 0 UID: 0 PID: 7313 Comm: syz-executor147 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:vxlan_vnigroup_uninit+0x89/0x500 drivers/net/vxlan/vxlan_vnifilter.c:912 Code: 00 48 8b 44 24 08 4c 8b b0 98 41 00 00 49 8d 86 60 01 00 00 48 89 c2 48 89 44 24 10 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 3c 02 00 0f 85 4d 04 00 00 49 8b 86 60 01 00 00 48 ba 00 00 00 RSP: 0018:ffffc9000cc1eea8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff8672effb RDX: 000000000000002c RSI: ffffffff8672ecb9 RDI: ffff8880461b4f18 RBP: ffff8880461b4ef4 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000020000 R13: ffff8880461b0d80 R14: 0000000000000000 R15: dffffc0000000000 FS: 00007fecfa95d6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fecfa95cfb8 CR3: 000000004472c000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vxlan_uninit+0x1ab/0x200 drivers/net/vxlan/vxlan_core.c:2942 unregister_netdevice_many_notify+0x12d6/0x1f30 net/core/dev.c:11824 unregister_netdevice_many net/core/dev.c:11866 [inline]
unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11736 register_netdevice+0x1829/0x1eb0 net/core/dev.c:10901 __vxlan_dev_create+0x7c6/0xa30 drivers/net/vxlan/vxlan_core.c:3981 vxlan_newlink+0xd1/0x130 drivers/net/vxlan/vxlan_core.c:4407 rtnl_newlink_create net/core/rtnetlink.c:3795 [inline]
__rtnl_newlink net/core/rtnetlink.c:3906 [inline]
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/25/2026
The vulnerability identified as CVE-2025-21790 resides within the Linux kernel's VXLAN (Virtual eXtensible Local Area Network) implementation, specifically in the vxlan_init function where it fails to properly validate the return value of vxlan_vnigroup_init. This oversight leads to a potential null pointer dereference condition that can result in a kernel crash. The issue was detected by syzbot, an automated bug finding system, which revealed that when vxlan_vnigroup_init() fails during initialization, the calling function does not check its return status before proceeding with subsequent operations. This failure to validate the initialization outcome creates a scenario where uninitialized memory structures are accessed, leading to a general protection fault. The crash occurs during the vxlan_vnigroup_uninit function when attempting to access a null pointer at a non-canonical address, indicating that memory management has been compromised due to the unchecked initialization failure.
The technical flaw manifests as a classic null pointer dereference vulnerability, which aligns with CWE-476, indicating a null pointer dereference condition in the kernel's VXLAN subsystem. The vulnerability stems from inadequate error handling within the kernel's network device initialization sequence, where the vxlan_init function assumes that vxlan_vnigroup_init will always succeed without proper validation. This pattern of error handling failure allows for a cascade of operations that ultimately leads to memory corruption and system instability. The KASAN (Kernel Address Sanitizer) output specifically identifies the null pointer dereference in the range 0x0000000000000160-0x0000000000000167, confirming that the issue occurs during memory access operations where expected data structures have not been properly initialized. The crash trace shows that the fault originates from vxlan_vnigroup_uninit function, which is called during device cleanup operations, indicating that the improper initialization affects the entire VXLAN device lifecycle management.
The operational impact of this vulnerability extends beyond simple system crashes, as it can be exploited to cause denial of service conditions within virtualized network environments that rely on VXLAN tunneling. Attackers could potentially trigger this condition through malformed network device creation requests, leading to kernel panics that would disrupt network services and potentially allow for privilege escalation or information disclosure depending on the system's security posture. The vulnerability affects systems running Linux kernel versions that include the affected VXLAN implementation, particularly those that utilize VXLAN for network virtualization, container networking, or software-defined networking solutions. The crash scenario described indicates that the system would likely experience a kernel oops followed by a system reboot or lockup, depending on the kernel configuration and system recovery mechanisms in place.
Mitigation strategies for this vulnerability require immediate patch application from kernel maintainers to ensure that vxlan_init properly checks the return value of vxlan_vnigroup_init before proceeding with further initialization steps. System administrators should prioritize updating their kernel versions to include the fix for this specific vulnerability, as the null pointer dereference can be reliably triggered through network device management operations. Additionally, monitoring systems should be configured to detect kernel oops messages or system crashes related to VXLAN operations, as these could indicate exploitation attempts. The fix should be implemented following standard kernel development practices, ensuring that error conditions are properly handled and that appropriate error codes are propagated through the call stack. Organizations utilizing VXLAN-based networking solutions should also consider implementing network access controls and monitoring to prevent unauthorized device creation attempts that could trigger the vulnerability, aligning with ATT&CK technique T1059.005 for command and scripting interpreter usage in potentially compromised environments.