{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-21921", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.788Z", "datePublished": "2025-04-01T15:40:55.110Z", "dateUpdated": "2026-05-11T21:09:06.682Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:09:06.682Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethtool: netlink: Allow NULL nlattrs when getting a phy_device\n\nethnl_req_get_phydev() is used to lookup a phy_device, in the case an\nethtool netlink command targets a specific phydev within a netdev's\ntopology.\n\nIt takes as a parameter a const struct nlattr *header that's used for\nerror handling :\n\n if (!phydev) {\n NL_SET_ERR_MSG_ATTR(extack, header,\n \"no phy matching phyindex\");\n return ERR_PTR(-ENODEV);\n }\n\nIn the notify path after a ->set operation however, there's no request\nattributes available.\n\nThe typical callsite for the above function looks like:\n\n\tphydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],\n\t\t\t\t info->extack);\n\nSo, when tb is NULL (such as in the ethnl notify path), we have a nice\ncrash.\n\nIt turns out that there's only the PLCA command that is in that case, as\nthe other phydev-specific commands don't have a notification.\n\nThis commit fixes the crash by passing the cmd index and the nlattr\narray separately, allowing NULL-checking it directly inside the helper."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ethtool/cabletest.c", "net/ethtool/linkstate.c", "net/ethtool/netlink.c", "net/ethtool/netlink.h", "net/ethtool/phy.c", "net/ethtool/plca.c", "net/ethtool/pse-pd.c", "net/ethtool/stats.c", "net/ethtool/strset.c"], "versions": [{"version": "c15e065b46dc4e19837275b826c1960d55564abd", "lessThan": "639c70352958735addbba5ae7dd65985da96e061", "status": "affected", "versionType": "git"}, {"version": "c15e065b46dc4e19837275b826c1960d55564abd", "lessThan": "1f458fa42c29144cef280e05bc49fc21b873d897", "status": "affected", "versionType": "git"}, {"version": "c15e065b46dc4e19837275b826c1960d55564abd", "lessThan": "637399bf7e77797811adf340090b561a8f9d1213", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ethtool/cabletest.c", "net/ethtool/linkstate.c", "net/ethtool/netlink.c", "net/ethtool/netlink.h", "net/ethtool/phy.c", "net/ethtool/plca.c", "net/ethtool/pse-pd.c", "net/ethtool/stats.c", "net/ethtool/strset.c"], "versions": [{"version": "6.12", "status": "affected"}, {"version": "0", "lessThan": "6.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.19", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.7", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.12.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.13.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/639c70352958735addbba5ae7dd65985da96e061"}, {"url": "https://git.kernel.org/stable/c/1f458fa42c29144cef280e05bc49fc21b873d897"}, {"url": "https://git.kernel.org/stable/c/637399bf7e77797811adf340090b561a8f9d1213"}], "title": "net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC0CC37A-843F-489C-B8A2-45012E0AF641", "versionEndExcluding": "6.12.19", "versionStartIncluding": "6.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "842F5A44-3E71-4546-B4FD-43B0ACE3F32B", "versionEndExcluding": "6.13.7", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*", "matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*", "matchCriteriaId": "45B90F6B-BEC7-4D4E-883A-9DBADE021750", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethtool: netlink: Allow NULL nlattrs when getting a phy_device\n\nethnl_req_get_phydev() is used to lookup a phy_device, in the case an\nethtool netlink command targets a specific phydev within a netdev's\ntopology.\n\nIt takes as a parameter a const struct nlattr *header that's used for\nerror handling :\n\n if (!phydev) {\n NL_SET_ERR_MSG_ATTR(extack, header,\n \"no phy matching phyindex\");\n return ERR_PTR(-ENODEV);\n }\n\nIn the notify path after a ->set operation however, there's no request\nattributes available.\n\nThe typical callsite for the above function looks like:\n\n\tphydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],\n\t\t\t\t info->extack);\n\nSo, when tb is NULL (such as in the ethnl notify path), we have a nice\ncrash.\n\nIt turns out that there's only the PLCA command that is in that case, as\nthe other phydev-specific commands don't have a notification.\n\nThis commit fixes the crash by passing the cmd index and the nlattr\narray separately, allowing NULL-checking it directly inside the helper."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: ethtool: netlink: Permite nlattrs nulos al obtener un phy_device. ethnl_req_get_phydev() se usa para buscar un phy_device si el comando netlink de ethtool apunta a un phydev espec\u00edfico dentro de la topolog\u00eda de un netdev. Toma como par\u00e1metro una constante struct nlattr *header que se usa para la gesti\u00f3n de errores: if (!phydev) { NL_SET_ERR_MSG_ATTR(extack, header, \"no phy matches phyindex\"); return ERR_PTR(-ENODEV); } Sin embargo, en la ruta de notificaci\u00f3n despu\u00e9s de una operaci\u00f3n ->set, no hay atributos de solicitud disponibles. El sitio de llamada t\u00edpico para la funci\u00f3n anterior se ve as\u00ed: phydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER], info->extack); Por lo tanto, cuando tb es nulo (como en la ruta de notificaci\u00f3n de ethnl), se produce un fallo. Resulta que solo el comando PLCA se encuentra en ese caso, ya que los dem\u00e1s comandos espec\u00edficos de phydev no tienen notificaci\u00f3n. Esta confirmaci\u00f3n corrige el fallo pasando el \u00edndice cmd y la matriz nlattr por separado, lo que permite comprobar su estado nulo directamente dentro del asistente."}], "id": "CVE-2025-21921", "lastModified": "2025-10-31T18:08:21.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-01T16:15:22.790", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f458fa42c29144cef280e05bc49fc21b873d897"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/637399bf7e77797811adf340090b561a8f9d1213"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/639c70352958735addbba5ae7dd65985da96e061"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device", "id": "2356660", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2356660"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: ethtool: netlink: Allow NULL nlattrs when getting a phy_device\nethnl_req_get_phydev() is used to lookup a phy_device, in the case an\nethtool netlink command targets a specific phydev within a netdev's\ntopology.\nIt takes as a parameter a const struct nlattr *header that's used for\nerror handling :\nif (!phydev) {\nNL_SET_ERR_MSG_ATTR(extack, header,\n\"no phy matching phyindex\");\nreturn ERR_PTR(-ENODEV);\n}\nIn the notify path after a ->set operation however, there's no request\nattributes available.\nThe typical callsite for the above function looks like:\nphydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],\ninfo->extack);\nSo, when tb is NULL (such as in the ethnl notify path), we have a nice\ncrash.\nIt turns out that there's only the PLCA command that is in that case, as\nthe other phydev-specific commands don't have a notification.\nThis commit fixes the crash by passing the cmd index and the nlattr\narray separately, allowing NULL-checking it directly inside the helper."], "name": "CVE-2025-21921", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21921\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21921\nhttps://lore.kernel.org/linux-cve-announce/2025040131-CVE-2025-21921-9deb@gregkh/T"], "threat_severity": "Low"}

{}