CVE-2025-21972 in Linuxinfo

Summary

by MITRE • 04/01/2025

In the Linux kernel, the following vulnerability has been resolved:

net: mctp: unshare packets when reassembling

Ensure that the frag_list used for reassembly isn't shared with other packets. This avoids incorrect reassembly when packets are cloned, and prevents a memory leak due to circular references between fragments and their skb_shared_info.

The upcoming MCTP-over-USB driver uses skb_clone which can trigger the problem - other MCTP drivers don't share SKBs.

A kunit test is added to reproduce the issue.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/01/2026

The vulnerability identified as CVE-2025-21972 resides within the Linux kernel's MCTP (Management Component Transport Protocol) networking implementation, specifically in the packet reassembly mechanism. This issue affects the network subsystem's handling of fragmented packets and represents a critical flaw that could lead to system instability and potential memory corruption. The problem manifests when the kernel attempts to reassemble fragmented MCTP packets, where the frag_list structure used for reassembly becomes shared across multiple packets, creating a dangerous scenario that violates fundamental memory management principles.

The technical flaw stems from improper handling of shared packet structures during the reassembly process. When the kernel processes fragmented packets, it maintains a frag_list that tracks the fragments comprising a complete packet. However, the vulnerability occurs because this frag_list can be shared between multiple packets, particularly when skb_clone operations are performed. This sharing creates circular references where fragments point back to their parent skb_shared_info structures, establishing a memory cycle that prevents proper garbage collection. The issue is particularly pronounced in the upcoming MCTP-over-USB driver which relies on skb_clone operations, while other MCTP drivers do not exhibit this behavior due to their different packet handling approaches. This represents a classic memory management vulnerability that aligns with CWE-415: Double Free and CWE-416: Use After Free, though specifically manifesting as circular reference issues.

The operational impact of this vulnerability extends beyond simple memory leaks to potentially compromise system stability and security. When packets are cloned and reassembled incorrectly, the kernel may process malformed data or create inconsistent packet states that could be exploited by malicious actors. The memory leak resulting from circular references gradually consumes system resources, potentially leading to denial of service conditions where the system becomes unresponsive due to memory exhaustion. Network performance degradation may also occur as the kernel struggles to manage the corrupted packet structures. This vulnerability affects systems running Linux kernels that implement MCTP networking and specifically those utilizing the MCTP-over-USB driver, making it relevant to embedded systems, IoT devices, and network infrastructure components that rely on MCTP for management communications. The issue demonstrates how seemingly isolated driver implementations can create cascading problems within the kernel's memory management subsystem.

Mitigation strategies for CVE-2025-21972 focus on ensuring proper packet structure isolation during reassembly operations. The primary fix involves modifying the MCTP reassembly code to prevent sharing of frag_list structures between packets, thereby eliminating circular references that cause memory leaks. System administrators should prioritize updating to kernel versions that include the patched implementation, which specifically addresses the skb_clone usage patterns that trigger the vulnerability. The fix incorporates a kunit test to verify proper behavior, ensuring that reassembly operations maintain distinct packet structures. Organizations should also consider implementing monitoring for unusual memory consumption patterns that might indicate the presence of this vulnerability. Additionally, security teams should review their network infrastructure to identify systems running MCTP-over-USB drivers and prioritize patching those components. The solution aligns with ATT&CK technique T1070.004: File Deletion to ensure proper memory management and prevent resource exhaustion attacks that could exploit the circular reference behavior.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00174

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!