CVE-2025-22105 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

bonding: check xdp prog when set bond mode

Following operations can trigger a warning[1]:

ip netns add ns1 ip netns exec ns1 ip link add bond0 type bond mode balance-rr ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp ip netns exec ns1 ip link set bond0 type bond mode broadcast ip netns del ns1

When delete the namespace, dev_xdp_uninstall() is called to remove xdp program on bond dev, and bond_xdp_set() will check the bond mode. If bond mode is changed after attaching xdp program, the warning may occur.

Some bond modes (broadcast, etc.) do not support native xdp. Set bond mode with xdp program attached is not good. Add check for xdp program when set bond mode.

[1]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930 Modules linked in: CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930 Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ... RSP: 0018:ffffc90000063d80 EFLAGS: 00000282 RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48 RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8 R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000 FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0 Call Trace: <TASK> ? __warn+0x83/0x130 ? unregister_netdevice_many_notify+0x8d9/0x930 ? report_bug+0x18e/0x1a0 ? handle_bug+0x54/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? unregister_netdevice_many_notify+0x8d9/0x930 ? bond_net_exit_batch_rtnl+0x5c/0x90 cleanup_net+0x237/0x3d0 process_one_work+0x163/0x390 worker_thread+0x293/0x3b0 ? __pfx_worker_thread+0x10/0x10 kthread+0xec/0x1e0 ? __pfx_kthread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]---

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability described in CVE-2025-22105 affects the Linux kernel's bonding driver, specifically concerning the handling of XDP (eXpress Data Path) programs when changing bond modes. This issue arises from a lack of proper validation during the process of switching bond modes while an XDP program is attached to the bond device. The problem manifests when userspace operations attempt to modify the bonding mode after an XDP program has been loaded onto a bond interface, leading to potential system instability and kernel warnings. The root cause lies in the absence of a check within the bonding driver to verify whether an XDP program is currently attached before allowing a mode change operation.

The technical flaw occurs in the bond_xdp_set() function which is responsible for managing XDP program attachments to bond devices. When a namespace containing a bond interface with an attached XDP program is deleted, the dev_xdp_uninstall() function is invoked to remove the XDP program. However, the system fails to validate that the bond mode has not changed since the XDP program was attached, resulting in a mismatch between the expected XDP capabilities of the current mode and the actual program that was loaded. This mismatch triggers a kernel warning during the cleanup process when unregister_netdevice_many_notify() is called, indicating a potential memory corruption or resource management issue. The vulnerability is particularly concerning because it can lead to system crashes or unpredictable behavior when the kernel attempts to clean up network devices in a namespace that has been destroyed.

The operational impact of this vulnerability extends beyond simple warning messages to potentially critical system stability issues. When the kernel encounters this condition during namespace cleanup, it can result in kernel panics or system hangs that may require a reboot to resolve. The vulnerability is exploitable through legitimate network management operations that involve creating network namespaces, setting up bonding interfaces, attaching XDP programs, changing bond modes, and then deleting the namespace. This sequence of operations can occur in legitimate network virtualization environments or when administrators are configuring complex network topologies using bonding and XDP technologies. The issue is particularly relevant in containerized environments or network function virtualization scenarios where namespace management and dynamic network configuration are common practices. According to CWE classification, this vulnerability relates to CWE-691: Insufficient Control Flow Management, as it involves inadequate handling of control flow during resource cleanup operations.

Mitigation strategies for this vulnerability should focus on implementing proper validation checks within the bonding driver before allowing mode changes when XDP programs are attached. The fix requires modifying the bond mode change logic to verify that no XDP program is currently attached to the bond device before permitting a mode transition. This approach aligns with ATT&CK technique T1059.003 for privilege escalation and system compromise through kernel-level manipulation. Administrators should avoid changing bond modes while XDP programs are attached to bond interfaces, particularly in production environments where stability is critical. The recommended solution involves adding a check in the bond mode change handler to return an error if an XDP program is present, forcing administrators to detach the XDP program before changing the mode. Additionally, system monitoring should be implemented to detect and alert on such conditions, as the kernel warning indicates a potential state inconsistency that could lead to more severe issues if not addressed promptly. The fix should be applied to all kernel versions that support both bonding and XDP functionality, with particular attention to enterprise and server environments where these features are commonly deployed.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00167

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!