{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21781", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.764Z", "datePublished": "2025-02-27T02:18:24.013Z", "dateUpdated": "2025-03-24T15:40:18.233Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-03-24T15:40:18.233Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix panic during interface removal\n\nReference counting is used to ensure that\nbatadv_hardif_neigh_node and batadv_hard_iface\nare not freed before/during\nbatadv_v_elp_throughput_metric_update work is\nfinished.\n\nBut there isn't a guarantee that the hard if will\nremain associated with a soft interface up until\nthe work is finished.\n\nThis fixes a crash triggered by reboot that looks\nlike this:\n\nCall trace:\n batadv_v_mesh_free+0xd0/0x4dc [batman_adv]\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\n process_one_work+0x178/0x398\n worker_thread+0x2e8/0x4d0\n kthread+0xd8/0xdc\n ret_from_fork+0x10/0x20\n\n(the batadv_v_mesh_free call is misleading,\nand does not actually happen)\n\nI was able to make the issue happen more reliably\nby changing hardif_neigh->bat_v.metric_work work\nto be delayed work. This allowed me to track down\nand confirm the fix.\n\n[sven@narfation.org: prevent entering batadv_v_elp_get_throughput without\n soft_iface]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/batman-adv/bat_v_elp.c"], "versions": [{"version": "c833484e5f3872a38fe232c663586069d5ad9645", "lessThan": "167422a07096a6006599067c8b55884064fa0b72", "status": "affected", "versionType": "git"}, {"version": "c833484e5f3872a38fe232c663586069d5ad9645", "lessThan": "ce3f1545bf8fa28bd05ec113679e8e6cd23af577", "status": "affected", "versionType": "git"}, {"version": "c833484e5f3872a38fe232c663586069d5ad9645", "lessThan": "f0a16c6c79768180333f3e41ce63f32730e3c3af", "status": "affected", "versionType": "git"}, {"version": "c833484e5f3872a38fe232c663586069d5ad9645", "lessThan": "7eb5dd201695645af071592a50026eb780081a72", "status": "affected", "versionType": "git"}, {"version": "c833484e5f3872a38fe232c663586069d5ad9645", "lessThan": "072b2787321903287a126c148e8db87dd7ef96fe", "status": "affected", "versionType": "git"}, {"version": "c833484e5f3872a38fe232c663586069d5ad9645", "lessThan": "2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7", "status": "affected", "versionType": "git"}, {"version": "c833484e5f3872a38fe232c663586069d5ad9645", "lessThan": "522b1596ea19e327853804da2de60aeb9c5d6f42", "status": "affected", "versionType": "git"}, {"version": "c833484e5f3872a38fe232c663586069d5ad9645", "lessThan": "ccb7276a6d26d6f8416e315b43b45e15ee7f29e2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/batman-adv/bat_v_elp.c"], "versions": [{"version": "4.6", "status": "affected"}, {"version": "0", "lessThan": "4.6", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.291", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.235", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.179", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.129", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.79", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.16", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.4", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/167422a07096a6006599067c8b55884064fa0b72"}, {"url": "https://git.kernel.org/stable/c/ce3f1545bf8fa28bd05ec113679e8e6cd23af577"}, {"url": "https://git.kernel.org/stable/c/f0a16c6c79768180333f3e41ce63f32730e3c3af"}, {"url": "https://git.kernel.org/stable/c/7eb5dd201695645af071592a50026eb780081a72"}, {"url": "https://git.kernel.org/stable/c/072b2787321903287a126c148e8db87dd7ef96fe"}, {"url": "https://git.kernel.org/stable/c/2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7"}, {"url": "https://git.kernel.org/stable/c/522b1596ea19e327853804da2de60aeb9c5d6f42"}, {"url": "https://git.kernel.org/stable/c/ccb7276a6d26d6f8416e315b43b45e15ee7f29e2"}], "title": "batman-adv: fix panic during interface removal", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix panic during interface removal\n\nReference counting is used to ensure that\nbatadv_hardif_neigh_node and batadv_hard_iface\nare not freed before/during\nbatadv_v_elp_throughput_metric_update work is\nfinished.\n\nBut there isn't a guarantee that the hard if will\nremain associated with a soft interface up until\nthe work is finished.\n\nThis fixes a crash triggered by reboot that looks\nlike this:\n\nCall trace:\n batadv_v_mesh_free+0xd0/0x4dc [batman_adv]\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\n process_one_work+0x178/0x398\n worker_thread+0x2e8/0x4d0\n kthread+0xd8/0xdc\n ret_from_fork+0x10/0x20\n\n(the batadv_v_mesh_free call is misleading,\nand does not actually happen)\n\nI was able to make the issue happen more reliably\nby changing hardif_neigh->bat_v.metric_work work\nto be delayed work. This allowed me to track down\nand confirm the fix.\n\n[sven@narfation.org: prevent entering batadv_v_elp_get_throughput without\n soft_iface]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: batman-adv: se corrige el p\u00e1nico durante la eliminaci\u00f3n de la interfaz. El recuento de referencias se utiliza para garantizar que batadv_hardif_neigh_node y batadv_hard_iface no se liberen antes o durante la finalizaci\u00f3n del trabajo de batadv_v_elp_throughput_metric_update. Pero no hay garant\u00eda de que el if duro permanezca asociado con una interfaz blanda hasta que finalice el trabajo. Esto corrige un fallo provocado por el reinicio que se parece a esto: Seguimiento de llamada: batadv_v_mesh_free+0xd0/0x4dc [batman_adv] batadv_v_elp_throughput_metric_update+0x1c/0xa4 process_one_work+0x178/0x398 worker_thread+0x2e8/0x4d0 kthread+0xd8/0xdc ret_from_fork+0x10/0x20 (la llamada batadv_v_mesh_free es enga\u00f1osa y en realidad no sucede) Pude hacer que el problema sucediera de manera m\u00e1s confiable al cambiar hardif_neigh->bat_v.metric_work work para que sea delayed work. Esto me permiti\u00f3 rastrear y confirmar la soluci\u00f3n. [sven@narfation.org: evitar ingresar batadv_v_elp_get_throughput sin soft_iface]"}], "id": "CVE-2025-21781", "lastModified": "2025-03-13T13:15:54.427", "metrics": {}, "published": "2025-02-27T03:15:18.947", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/072b2787321903287a126c148e8db87dd7ef96fe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/167422a07096a6006599067c8b55884064fa0b72"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/522b1596ea19e327853804da2de60aeb9c5d6f42"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7eb5dd201695645af071592a50026eb780081a72"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ccb7276a6d26d6f8416e315b43b45e15ee7f29e2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ce3f1545bf8fa28bd05ec113679e8e6cd23af577"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f0a16c6c79768180333f3e41ce63f32730e3c3af"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: batman-adv: fix panic during interface removal", "id": "2348658", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348658"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbatman-adv: fix panic during interface removal\nReference counting is used to ensure that\nbatadv_hardif_neigh_node and batadv_hard_iface\nare not freed before/during\nbatadv_v_elp_throughput_metric_update work is\nfinished.\nBut there isn't a guarantee that the hard if will\nremain associated with a soft interface up until\nthe work is finished.\nThis fixes a crash triggered by reboot that looks\nlike this:\nCall trace:\nbatadv_v_mesh_free+0xd0/0x4dc [batman_adv]\nbatadv_v_elp_throughput_metric_update+0x1c/0xa4\nprocess_one_work+0x178/0x398\nworker_thread+0x2e8/0x4d0\nkthread+0xd8/0xdc\nret_from_fork+0x10/0x20\n(the batadv_v_mesh_free call is misleading,\nand does not actually happen)\nI was able to make the issue happen more reliably\nby changing hardif_neigh->bat_v.metric_work work\nto be delayed work. This allowed me to track down\nand confirm the fix.\n[sven@narfation.org: prevent entering batadv_v_elp_get_throughput without\nsoft_iface]"], "name": "CVE-2025-21781", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21781\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21781\nhttps://lore.kernel.org/linux-cve-announce/2025022607-CVE-2025-21781-7324@gregkh/T"], "threat_severity": "Moderate"}