{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-21865", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.781Z", "datePublished": "2025-03-12T09:42:21.901Z", "dateUpdated": "2026-05-12T12:13:17.362Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:08:00.850Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\n\nBrad Spengler reported the list_del() corruption splat in\ngtp_net_exit_batch_rtnl(). [0]\n\nCommit eb28fd76c0a0 (\"gtp: Destroy device along with udp socket's netns\ndismantle.\") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()\nto destroy devices in each netns as done in geneve and ip tunnels.\n\nHowever, this could trigger ->dellink() twice for the same device during\n->exit_batch_rtnl().\n\nSay we have two netns A & B and gtp device B that resides in netns B but\nwhose UDP socket is in netns A.\n\n 1. cleanup_net() processes netns A and then B.\n\n 2. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns A's gn->gtp_dev_list and calls ->dellink().\n\n [ device B is not yet unlinked from netns B\n as unregister_netdevice_many() has not been called. ]\n\n 3. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns B's for_each_netdev() and calls ->dellink().\n\ngtp_dellink() cleans up the device's hash table, unlinks the dev from\ngn->gtp_dev_list, and calls unregister_netdevice_queue().\n\nBasically, calling gtp_dellink() multiple times is fine unless\nCONFIG_DEBUG_LIST is enabled.\n\nLet's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and\ndelegate the destruction to default_device_exit_batch() as done\nin bareudp.\n\n[0]:\nlist_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)\nkernel BUG at lib/list_debug.c:58!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: netns cleanup_net\nRIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nCode: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60\nRSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283\nRAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054\nRDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000\nRBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32\nR10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4\nR13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08\nRBX: kasan shadow of 0x0\nRCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554\nRDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nRSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71\nRBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]\nRSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]\nR09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]\nR10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]\nR15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]\nFS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0\nStack:\n 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00\n ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005\n 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d\nCall Trace:\n <TASK>\n [<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28\n [<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28\n [<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inl\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/gtp.c"], "versions": [{"version": "c986380c1d5274c4d5e935addc807d6791cc23eb", "lessThan": "7f86fb07db65a470d0c11f79da551bd9466357dc", "status": "affected", "versionType": "git"}, {"version": "5f1678346109ff3a6d229d33437fcba3cce9209d", "lessThan": "33eb925c0c26e86ca540a08254806512bf911f22", "status": "affected", "versionType": "git"}, {"version": "036f8d814a2cd11ee8ef62b8f3e7ce5dec0ee4f3", "lessThan": "cb15bb1bde0ba97cbbed9508e45210dcafec3657", "status": "affected", "versionType": "git"}, {"version": "efec287cbac92ac6ee8312a89221854760e13b34", "lessThan": "b70fa591b066d52b141fc430ffdee35b6cc87a66", "status": "affected", "versionType": "git"}, {"version": "bb11f992f5a475bc68ef959f17a55306f0328495", "lessThan": "9d03e7e37187ae140e716377599493987fb20c5b", "status": "affected", "versionType": "git"}, {"version": "86f73d4ab2f27deeff22ba9336ad103d94f12ac7", "lessThan": "ff81b14010362f6188ca26fec22ff05e4da45595", "status": "affected", "versionType": "git"}, {"version": "eb28fd76c0a08a47b470677c6cef9dd1c60e92d1", "lessThan": "37e7644b961600ef0beb01d3970c3034a62913af", "status": "affected", "versionType": "git"}, {"version": "eb28fd76c0a08a47b470677c6cef9dd1c60e92d1", "lessThan": "4ccacf86491d33d2486b62d4d44864d7101b299d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/gtp.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.291", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.235", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.179", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.130", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.80", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.17", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.5", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.290", "versionEndExcluding": "5.4.291"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.234", "versionEndExcluding": "5.10.235"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.177", "versionEndExcluding": "5.15.179"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.127", "versionEndExcluding": "6.1.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.74", "versionEndExcluding": "6.6.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.11", "versionEndExcluding": "6.12.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.13.5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7f86fb07db65a470d0c11f79da551bd9466357dc"}, {"url": "https://git.kernel.org/stable/c/33eb925c0c26e86ca540a08254806512bf911f22"}, {"url": "https://git.kernel.org/stable/c/cb15bb1bde0ba97cbbed9508e45210dcafec3657"}, {"url": "https://git.kernel.org/stable/c/b70fa591b066d52b141fc430ffdee35b6cc87a66"}, {"url": "https://git.kernel.org/stable/c/9d03e7e37187ae140e716377599493987fb20c5b"}, {"url": "https://git.kernel.org/stable/c/ff81b14010362f6188ca26fec22ff05e4da45595"}, {"url": "https://git.kernel.org/stable/c/37e7644b961600ef0beb01d3970c3034a62913af"}, {"url": "https://git.kernel.org/stable/c/4ccacf86491d33d2486b62d4d44864d7101b299d"}], "title": "gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-21865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-01T19:25:29.794279Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T19:26:37.011Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:38:21.987Z"}}, {"x_adpType": "supplier", "providerMetadata": {"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e", "shortName": "siemens-SADP", "dateUpdated": "2026-05-12T12:13:17.362Z"}, "affected": [{"vendor": "Siemens", "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP", "versions": [{"status": "affected", "version": "V3.1.5", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP", "versions": [{"status": "affected", "version": "V3.1.5", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP", "versions": [{"status": "affected", "version": "V3.1.5", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP", "versions": [{"status": "affected", "version": "V3.1.5", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP", "versions": [{"status": "affected", "version": "V3.1.5", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:38:21.987Z"}}, {"affected": [{"vendor": "Siemens", "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP", "versions": [{"status": "affected", "version": "V3.1.5", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP", "versions": [{"status": "affected", "version": "V3.1.5", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP", "versions": [{"status": "affected", "version": "V3.1.5", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP", "versions": [{"status": "affected", "version": "V3.1.5", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP", "versions": [{"status": "affected", "version": "V3.1.5", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}], "x_adpType": "supplier", "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"}], "providerMetadata": {"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e", "shortName": "siemens-SADP", "dateUpdated": "2026-05-12T12:13:17.362Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-21865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-01T19:25:29.794279Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T16:58:44.625Z"}}], "cna": {"title": "gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "c986380c1d5274c4d5e935addc807d6791cc23eb", "lessThan": "7f86fb07db65a470d0c11f79da551bd9466357dc", "versionType": "git"}, {"status": "affected", "version": "5f1678346109ff3a6d229d33437fcba3cce9209d", "lessThan": "33eb925c0c26e86ca540a08254806512bf911f22", "versionType": "git"}, {"status": "affected", "version": "036f8d814a2cd11ee8ef62b8f3e7ce5dec0ee4f3", "lessThan": "cb15bb1bde0ba97cbbed9508e45210dcafec3657", "versionType": "git"}, {"status": "affected", "version": "efec287cbac92ac6ee8312a89221854760e13b34", "lessThan": "b70fa591b066d52b141fc430ffdee35b6cc87a66", "versionType": "git"}, {"status": "affected", "version": "bb11f992f5a475bc68ef959f17a55306f0328495", "lessThan": "9d03e7e37187ae140e716377599493987fb20c5b", "versionType": "git"}, {"status": "affected", "version": "86f73d4ab2f27deeff22ba9336ad103d94f12ac7", "lessThan": "ff81b14010362f6188ca26fec22ff05e4da45595", "versionType": "git"}, {"status": "affected", "version": "eb28fd76c0a08a47b470677c6cef9dd1c60e92d1", "lessThan": "37e7644b961600ef0beb01d3970c3034a62913af", "versionType": "git"}, {"status": "affected", "version": "eb28fd76c0a08a47b470677c6cef9dd1c60e92d1", "lessThan": "4ccacf86491d33d2486b62d4d44864d7101b299d", "versionType": "git"}], "programFiles": ["drivers/net/gtp.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.13"}, {"status": "unaffected", "version": "0", "lessThan": "6.13", "versionType": "semver"}, {"status": "unaffected", "version": "5.4.291", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.235", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.179", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.130", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.80", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.12.17", "versionType": "semver", "lessThanOrEqual": "6.12.*"}, {"status": "unaffected", "version": "6.13.5", "versionType": "semver", "lessThanOrEqual": "6.13.*"}, {"status": "unaffected", "version": "6.14", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/gtp.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/7f86fb07db65a470d0c11f79da551bd9466357dc"}, {"url": "https://git.kernel.org/stable/c/33eb925c0c26e86ca540a08254806512bf911f22"}, {"url": "https://git.kernel.org/stable/c/cb15bb1bde0ba97cbbed9508e45210dcafec3657"}, {"url": "https://git.kernel.org/stable/c/b70fa591b066d52b141fc430ffdee35b6cc87a66"}, {"url": "https://git.kernel.org/stable/c/9d03e7e37187ae140e716377599493987fb20c5b"}, {"url": "https://git.kernel.org/stable/c/ff81b14010362f6188ca26fec22ff05e4da45595"}, {"url": "https://git.kernel.org/stable/c/37e7644b961600ef0beb01d3970c3034a62913af"}, {"url": "https://git.kernel.org/stable/c/4ccacf86491d33d2486b62d4d44864d7101b299d"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\n\nBrad Spengler reported the list_del() corruption splat in\ngtp_net_exit_batch_rtnl(). [0]\n\nCommit eb28fd76c0a0 (\"gtp: Destroy device along with udp socket's netns\ndismantle.\") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()\nto destroy devices in each netns as done in geneve and ip tunnels.\n\nHowever, this could trigger ->dellink() twice for the same device during\n->exit_batch_rtnl().\n\nSay we have two netns A & B and gtp device B that resides in netns B but\nwhose UDP socket is in netns A.\n\n 1. cleanup_net() processes netns A and then B.\n\n 2. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns A's gn->gtp_dev_list and calls ->dellink().\n\n [ device B is not yet unlinked from netns B\n as unregister_netdevice_many() has not been called. ]\n\n 3. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns B's for_each_netdev() and calls ->dellink().\n\ngtp_dellink() cleans up the device's hash table, unlinks the dev from\ngn->gtp_dev_list, and calls unregister_netdevice_queue().\n\nBasically, calling gtp_dellink() multiple times is fine unless\nCONFIG_DEBUG_LIST is enabled.\n\nLet's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and\ndelegate the destruction to default_device_exit_batch() as done\nin bareudp.\n\n[0]:\nlist_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)\nkernel BUG at lib/list_debug.c:58!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: netns cleanup_net\nRIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nCode: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60\nRSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283\nRAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054\nRDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000\nRBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32\nR10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4\nR13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08\nRBX: kasan shadow of 0x0\nRCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554\nRDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nRSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71\nRBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]\nRSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]\nR09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]\nR10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]\nR15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]\nFS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0\nStack:\n 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00\n ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005\n 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d\nCall Trace:\n <TASK>\n [<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28\n [<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28\n [<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inl\n---truncated---"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.291", "versionStartIncluding": "5.4.290"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.235", "versionStartIncluding": "5.10.234"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.179", "versionStartIncluding": "5.15.177"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.130", "versionStartIncluding": "6.1.127"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.80", "versionStartIncluding": "6.6.74"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.12.17", "versionStartIncluding": "6.12.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.13.5", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.14", "versionStartIncluding": "6.13"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:08:00.850Z"}}}, "cveMetadata": {"cveId": "CVE-2025-21865", "state": "PUBLISHED", "dateUpdated": "2026-05-12T12:13:17.362Z", "dateReserved": "2024-12-29T08:45:45.781Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2025-03-12T09:42:21.901Z", "assignerShortName": "Linux"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F5DAF95A-8A69-4B14-B6B1-D69D7B0E67ED", "versionEndExcluding": "6.1.130", "versionStartIncluding": "6.1.127", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E39A81F-E53D-411A-A984-01020256DBCF", "versionEndExcluding": "6.6.80", "versionStartIncluding": "6.6.74", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1046E13-7BCA-4984-A2A5-A636C37F89CB", "versionEndExcluding": "6.12.17", "versionStartIncluding": "6.12.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "72E69ABB-9015-43A6-87E1-5150383CFFD9", "versionEndExcluding": "6.13.5", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.4.290:*:*:*:*:*:*:*", "matchCriteriaId": "545EEEA7-D108-42AD-A818-71A0944937FF", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.10.234:*:*:*:*:*:*:*", "matchCriteriaId": "35D3F462-C339-41FE-9892-249F8F17987E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15.177:*:*:*:*:*:*:*", "matchCriteriaId": "BE9C4B84-1FEC-4D82-AC35-E594761500D0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\n\nBrad Spengler reported the list_del() corruption splat in\ngtp_net_exit_batch_rtnl(). [0]\n\nCommit eb28fd76c0a0 (\"gtp: Destroy device along with udp socket's netns\ndismantle.\") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()\nto destroy devices in each netns as done in geneve and ip tunnels.\n\nHowever, this could trigger ->dellink() twice for the same device during\n->exit_batch_rtnl().\n\nSay we have two netns A & B and gtp device B that resides in netns B but\nwhose UDP socket is in netns A.\n\n 1. cleanup_net() processes netns A and then B.\n\n 2. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns A's gn->gtp_dev_list and calls ->dellink().\n\n [ device B is not yet unlinked from netns B\n as unregister_netdevice_many() has not been called. ]\n\n 3. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns B's for_each_netdev() and calls ->dellink().\n\ngtp_dellink() cleans up the device's hash table, unlinks the dev from\ngn->gtp_dev_list, and calls unregister_netdevice_queue().\n\nBasically, calling gtp_dellink() multiple times is fine unless\nCONFIG_DEBUG_LIST is enabled.\n\nLet's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and\ndelegate the destruction to default_device_exit_batch() as done\nin bareudp.\n\n[0]:\nlist_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)\nkernel BUG at lib/list_debug.c:58!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: netns cleanup_net\nRIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nCode: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60\nRSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283\nRAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054\nRDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000\nRBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32\nR10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4\nR13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08\nRBX: kasan shadow of 0x0\nRCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554\nRDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nRSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71\nRBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]\nRSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]\nR09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]\nR10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]\nR15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]\nFS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0\nStack:\n 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00\n ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005\n 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d\nCall Trace:\n <TASK>\n [<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28\n [<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28\n [<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inl\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: gtp: Supresi\u00f3n de la corrupci\u00f3n de listas en gtp_net_exit_batch_rtnl(). Brad Spengler report\u00f3 la corrupci\u00f3n de list_del() en gtp_net_exit_batch_rtnl(). [0] El commit eb28fd76c0a0 (\"gtp: Destruir dispositivo junto con el desmantelamiento de netns del socket UDP\") a\u00f1adi\u00f3 el bucle for_each_netdev() en gtp_net_exit_batch_rtnl() para destruir dispositivos en cada netns, como se hace en los t\u00faneles geneve e IP. Sin embargo, esto podr\u00eda activar -&gt;dellink() dos veces para el mismo dispositivo durante -&gt;exit_batch_rtnl(). Digamos que tenemos dos netns A y B y un dispositivo gtp B que reside en netns B pero cuyo socket UDP est\u00e1 en netns A. 1. cleanup_net() procesa netns A y luego B. 2. gtp_net_exit_batch_rtnl() encuentra el dispositivo B mientras itera gn-&gt;gtp_dev_list de netns A y llama a -&gt;dellink(). [el dispositivo B a\u00fan no est\u00e1 desvinculado de netns B ya que no se ha llamado a unregister_netdevice_many().] 3. gtp_net_exit_batch_rtnl() encuentra el dispositivo B mientras itera for_each_netdev() de netns B y llama a -&gt;dellink(). gtp_dellink() limpia la tabla hash del dispositivo, desvincula el dev de gn-&gt;gtp_dev_list y llama a unregister_netdevice_queue(). B\u00e1sicamente, llamar a gtp_dellink() varias veces no tiene problema a menos que CONFIG_DEBUG_LIST est\u00e9 habilitado. Eliminemos for_each_netdev() en gtp_net_exit_batch_rtnl() y deleguemos la destrucci\u00f3n a default_device_exit_batch() como se hace en bareudp. [0]: corrupci\u00f3n en list_del, ffff8880aaa62c00-&gt;next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04) kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:[] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc &lt;0f&gt; 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60 RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283 RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054 RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000 RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32 R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4 R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08 RBX: kasan shadow of 0x0 RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554 RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71 RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object] RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ] R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ] R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ] R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object] FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0 Stack: 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00 ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d Call Trace: [] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28 [] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28 [] list_del include/linux/list.h:262 [inl ---truncado---"}], "id": "CVE-2025-21865", "lastModified": "2026-05-12T13:16:39.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-12T10:15:19.650", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/33eb925c0c26e86ca540a08254806512bf911f22"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/37e7644b961600ef0beb01d3970c3034a62913af"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4ccacf86491d33d2486b62d4d44864d7101b299d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7f86fb07db65a470d0c11f79da551bd9466357dc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9d03e7e37187ae140e716377599493987fb20c5b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b70fa591b066d52b141fc430ffdee35b6cc87a66"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cb15bb1bde0ba97cbbed9508e45210dcafec3657"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ff81b14010362f6188ca26fec22ff05e4da45595"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"}, {"source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e", "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"}, {"source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e", "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().", "id": "2351635", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351635"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ngtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\nBrad Spengler reported the list_del() corruption splat in\ngtp_net_exit_batch_rtnl(). [0]\nCommit eb28fd76c0a0 (\"gtp: Destroy device along with udp socket's netns\ndismantle.\") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()\nto destroy devices in each netns as done in geneve and ip tunnels.\nHowever, this could trigger ->dellink() twice for the same device during\n->exit_batch_rtnl().\nSay we have two netns A & B and gtp device B that resides in netns B but\nwhose UDP socket is in netns A.\n1. cleanup_net() processes netns A and then B.\n2. gtp_net_exit_batch_rtnl() finds the device B while iterating\nnetns A's gn->gtp_dev_list and calls ->dellink().\n[ device B is not yet unlinked from netns B\nas unregister_netdevice_many() has not been called. ]\n3. gtp_net_exit_batch_rtnl() finds the device B while iterating\nnetns B's for_each_netdev() and calls ->dellink().\ngtp_dellink() cleans up the device's hash table, unlinks the dev from\ngn->gtp_dev_list, and calls unregister_netdevice_queue().\nBasically, calling gtp_dellink() multiple times is fine unless\nCONFIG_DEBUG_LIST is enabled.\nLet's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and\ndelegate the destruction to default_device_exit_batch() as done\nin bareudp.\n[0]:\nlist_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)\nkernel BUG at lib/list_debug.c:58!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: netns cleanup_net\nRIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nCode: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60\nRSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283\nRAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054\nRDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000\nRBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32\nR10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4\nR13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08\nRBX: kasan shadow of 0x0\nRCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554\nRDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nRSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71\nRBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]\nRSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]\nR09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]\nR10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]\nR15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]\nFS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0\nStack:\n0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00\nffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005\n0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d\nCall Trace:\n<TASK>\n[<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28\n[<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28\n[<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inl\n---truncated---"], "name": "CVE-2025-21865", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21865\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21865\nhttps://lore.kernel.org/linux-cve-announce/2025031218-CVE-2025-21865-1837@gregkh/T"], "threat_severity": "Moderate"}

{}