CVE-2025-21920
Linux Kernel VLAN Device Type Enforcement Vulnerability
Description
In the Linux kernel, the following vulnerability has been resolved: vlan: enforce underlying device type Currently, VLAN devices can be created on top of non-ethernet devices. Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode. When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device. As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling dev_mc_add. __dev_mc_add uses dev->addr_len to determine the length of the new multicast address. This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long. This behaviour can be reproduced using the following commands: ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100 Then, the following command will display the address of garp_pdu_rcv: ip maddr show | grep 01:80:c2:00:00:21 Fix the bug by enforcing the type of the underlying device during VLAN device initialization.
INFO
Published Date :
April 1, 2025, 4:15 p.m.
Last Modified :
April 11, 2025, 1:13 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
5.2
Exploitability Score :
1.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-21920.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-21920 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2025-21920 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Apr. 11, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H Added CWE CWE-125 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.179 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.235 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.131 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 2.6.35 up to (excluding) 5.4.291 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.83 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.12.19 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13 up to (excluding) 6.13.7 *cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:* Added Reference Type kernel.org: https://git.kernel.org/stable/c/0fb7aa04c19eac4417f360a9f7611a60637bdacc Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/30e8aee77899173a82ae5ed89f536c096f20aaeb Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/3561442599804905c3defca241787cd4546e99a7 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/5a515d13e15536e82c5c7c83eb6cf5bc4827fee5 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/7f1564b2b2072b7aa1ac75350e9560a07c7a44fd Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/b33a534610067ade2bdaf2052900aaad99701353 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/b6c72479748b7ea09f53ed64b223cee6463dc278 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/fa40ebef69234e39ec2d26930d045f2fb9a8cb2b Types: Patch -
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Apr. 01, 2025
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: vlan: enforce underlying device type Currently, VLAN devices can be created on top of non-ethernet devices. Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode. When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device. As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling dev_mc_add. __dev_mc_add uses dev->addr_len to determine the length of the new multicast address. This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long. This behaviour can be reproduced using the following commands: ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100 Then, the following command will display the address of garp_pdu_rcv: ip maddr show | grep 01:80:c2:00:00:21 Fix the bug by enforcing the type of the underlying device during VLAN device initialization. Added Reference https://git.kernel.org/stable/c/0fb7aa04c19eac4417f360a9f7611a60637bdacc Added Reference https://git.kernel.org/stable/c/30e8aee77899173a82ae5ed89f536c096f20aaeb Added Reference https://git.kernel.org/stable/c/3561442599804905c3defca241787cd4546e99a7 Added Reference https://git.kernel.org/stable/c/5a515d13e15536e82c5c7c83eb6cf5bc4827fee5 Added Reference https://git.kernel.org/stable/c/7f1564b2b2072b7aa1ac75350e9560a07c7a44fd Added Reference https://git.kernel.org/stable/c/b33a534610067ade2bdaf2052900aaad99701353 Added Reference https://git.kernel.org/stable/c/b6c72479748b7ea09f53ed64b223cee6463dc278 Added Reference https://git.kernel.org/stable/c/fa40ebef69234e39ec2d26930d045f2fb9a8cb2b
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-21920 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-21920
weaknesses.