{ "threat_severity" : "Moderate", "public_date" : "2025-04-01T00:00:00Z", "bugzilla" : { "description" : "kernel: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list", "id" : "2356618", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2356618" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-787", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsched/fair: Fix potential memory corruption in child_cfs_rq_on_list\nchild_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq.\nThis 'prev' pointer can originate from struct rq's leaf_cfs_rq_list,\nmaking the conversion invalid and potentially leading to memory\ncorruption. Depending on the relative positions of leaf_cfs_rq_list and\nthe task group (tg) pointer within the struct, this can cause a memory\nfault or access garbage data.\nThe issue arises in list_add_leaf_cfs_rq, where both\ncfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same\nleaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list.\nThis adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main\nconditional in child_cfs_rq_on_list. This ensures that the container_of\noperation will convert a correct cfs_rq struct.\nThis check is sufficient because only cfs_rqs on the same CPU are added\nto the list, so verifying the 'prev' pointer against the current rq's list\nhead is enough.\nFixes a potential memory corruption issue that due to current struct\nlayout might not be manifesting as a crash but could lead to unpredictable\nbehavior when the layout changes." ], "statement" : "The security impact is limited, because there is no known vector of attack. The description of patch says: \"Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes\". Keeping CVSS score 7.0 with attack complexity high. Plan to fix it.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-06-02T00:00:00Z", "advisory" : "RHSA-2025:8374", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "kernel-0:6.12.0-55.14.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-28T00:00:00Z", "advisory" : "RHSA-2025:11851", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.64.1.rt7.405.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-28T00:00:00Z", "advisory" : "RHSA-2025:11850", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.64.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13776", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.157.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13776", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.157.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13776", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.157.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-08-25T00:00:00Z", "advisory" : "RHSA-2025:14418", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.106.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-08-25T00:00:00Z", "advisory" : "RHSA-2025:14418", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.106.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-06-23T00:00:00Z", "advisory" : "RHSA-2025:9302", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.23.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-06-23T00:00:00Z", "advisory" : "RHSA-2025:9302", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.23.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21919\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21919\nhttps://lore.kernel.org/linux-cve-announce/2025040131-CVE-2025-21919-5f2a@gregkh/T" ], "name" : "CVE-2025-21919", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }