{ "threat_severity" : "Moderate", "public_date" : "2025-03-12T00:00:00Z", "bugzilla" : { "description" : "kernel: ibmvnic: Don't reference skb after sending to VIOS", "id" : "2351608", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2351608" }, "cvss3" : { "cvss3_base_score" : "6.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nibmvnic: Don't reference skb after sending to VIOS\nPreviously, after successfully flushing the xmit buffer to VIOS,\nthe tx_bytes stat was incremented by the length of the skb.\nIt is invalid to access the skb memory after sending the buffer to\nthe VIOS because, at any point after sending, the VIOS can trigger\nan interrupt to free this memory. A race between reading skb->len\nand freeing the skb is possible (especially during LPM) and will\nresult in use-after-free:\n==================================================================\nBUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\nRead of size 4 at addr c00000024eb48a70 by task hxecom/14495\n<...>\nCall Trace:\n[c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)\n[c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0\n[c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8\n[c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0\n[c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\n[c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358\n<...>\nFreed by task 0:\nkasan_save_stack+0x34/0x68\nkasan_save_track+0x2c/0x50\nkasan_save_free_info+0x64/0x108\n__kasan_mempool_poison_object+0x148/0x2d4\nnapi_skb_cache_put+0x5c/0x194\nnet_tx_action+0x154/0x5b8\nhandle_softirqs+0x20c/0x60c\ndo_softirq_own_stack+0x6c/0x88\n<...>\nThe buggy address belongs to the object at c00000024eb48a00 which\nbelongs to the cache skbuff_head_cache of size 224\n==================================================================" ], "statement" : "This issue is considered to be a moderate impact flaw, as the exploitation for this will need an ADMIN (or ROOT) privilege (PR:H).", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20095", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.8.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20518", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.5.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20518", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.5.1.el9_7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21855\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21855\nhttps://lore.kernel.org/linux-cve-announce/2025031214-CVE-2025-21855-2d67@gregkh/T" ], "name" : "CVE-2025-21855", "csaw" : false }