{
  "threat_severity" : "Moderate",
  "public_date" : "2025-03-12T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: geneve: Fix use-after-free in geneve_find_dev().",
    "id" : "2351619",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2351619"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ngeneve: Fix use-after-free in geneve_find_dev().\nsyzkaller reported a use-after-free in geneve_find_dev() [0]\nwithout repro.\ngeneve_configure() links struct geneve_dev.next to\nnet_generic(net, geneve_net_id)->geneve_list.\nThe net here could differ from dev_net(dev) if IFLA_NET_NS_PID,\nIFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set.\nWhen dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally\ncalls unregister_netdevice_queue() for each dev in the netns,\nand later the dev is freed.\nHowever, its geneve_dev.next is still linked to the backend UDP\nsocket netns.\nThen, use-after-free will occur when another geneve dev is created\nin the netns.\nLet's call geneve_dellink() instead in geneve_destroy_tunnels().\n[0]:\nBUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline]\nBUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343\nRead of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441\nCPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d\nHardware name: linux,dummy-virt (DT)\nCall trace:\nshow_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C)\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:378 [inline]\nprint_report+0x16c/0x6f0 mm/kasan/report.c:489\nkasan_report+0xc0/0x120 mm/kasan/report.c:602\n__asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379\ngeneve_find_dev drivers/net/geneve.c:1295 [inline]\ngeneve_configure+0x234/0x858 drivers/net/geneve.c:1343\ngeneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634\nrtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795\n__rtnl_newlink net/core/rtnetlink.c:3906 [inline]\nrtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021\nrtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911\nnetlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543\nrtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938\nnetlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\nnetlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348\nnetlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892\nsock_sendmsg_nosec net/socket.c:713 [inline]\n__sock_sendmsg net/socket.c:728 [inline]\n____sys_sendmsg+0x410/0x6f8 net/socket.c:2568\n___sys_sendmsg+0x178/0x1d8 net/socket.c:2622\n__sys_sendmsg net/socket.c:2654 [inline]\n__do_sys_sendmsg net/socket.c:2659 [inline]\n__se_sys_sendmsg net/socket.c:2657 [inline]\n__arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657\n__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\ninvoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49\nel0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132\ndo_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151\nel0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744\nel0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762\nel0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600\nAllocated by task 13247:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x30/0x68 mm/kasan/common.c:68\nkasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568\npoison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n__kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394\nkasan_kmalloc include/linux/kasan.h:260 [inline]\n__do_kmalloc_node mm/slub.c:4298 [inline]\n__kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304\n__kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645\nalloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470\nrtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604\nrtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780\n__rtnl_newlink net/core/rtnetlink.c:3906 [inline]\nrtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021\nrtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911\nnetlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543\nrtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938\nnetlink_unicast_kernel net/netlink/af_n\n---truncated---", "A use-after-free vulnerability exists in the Linux kernel. When dev_net is dismantled, the geneve_exit_batch_rtnl() function calls unregister_netdevice_queue() for each device in the network namespace. Later, when the device is freed, it is still linked to the backend UDP socket in the network namespace." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25120",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.132.1.rt7.473.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25121",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.132.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26535",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.194.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26535",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.194.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26570",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.196.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26570",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.6",
    "package" : "kernel-0:4.18.0-372.196.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26563",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.147.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26563",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.147.1.el8_8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21858\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21858\nhttps://lore.kernel.org/linux-cve-announce/2025031215-CVE-2025-21858-3986@gregkh/T" ],
  "name" : "CVE-2025-21858",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}