medium
5.5
CWE
476
Advisory Published
Updated

CVE-2025-21676: Null Pointer Dereference

First published: Fri Jan 31 2025(Updated: )

In the Linux kernel, the following vulnerability has been resolved: net: fec: handle page_pool_dev_alloc_pages error The fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did not handle the case when it returned NULL. There was a WARN_ON(!new_page) but it would still proceed to use the NULL pointer and then crash. This case does seem somewhat rare but when the system is under memory pressure it can happen. One case where I can duplicate this with some frequency is when writing over a smbd share to a SATA HDD attached to an imx6q. Setting /proc/sys/vm/min_free_kbytes to higher values also seems to solve the problem for my test case. But it still seems wrong that the fec driver ignores the memory allocation error and can crash. This commit handles the allocation error by dropping the current packet.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected SoftwareAffected VersionHow to fix
Linux kernel
Linux Kernel>=6.1<6.6.74
Linux Kernel>=6.7<6.12.11
Linux Kernel=6.13-rc1
Linux Kernel=6.13-rc2
Linux Kernel=6.13-rc3
Linux Kernel=6.13-rc4
Linux Kernel=6.13-rc5
Linux Kernel=6.13-rc6
Linux Kernel=6.13-rc7

Remedy

https://git.kernel.org/stable/c/001ba0902046cb6c352494df610718c0763e77a5

Remedy

https://git.kernel.org/stable/c/1425cb829556398f594658512d49292f988a2ab0

Remedy

https://git.kernel.org/stable/c/8a0097db0544b658c159ac787319737712063a23

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2025-21676?

    CVE-2025-21676 has not been assigned a severity rating, but it affects kernel functionality which can lead to potential denial of service.

  • How do I fix CVE-2025-21676?

    To fix CVE-2025-21676, update your Linux kernel to the latest version that includes the patch addressing this vulnerability.

  • What causes CVE-2025-21676 in the Linux kernel?

    CVE-2025-21676 is caused by an error handling oversight in the fec_enet_update_cbd function that does not properly handle a NULL return from page_pool_dev_alloc_pages.

  • Which versions of the Linux kernel are affected by CVE-2025-21676?

    CVE-2025-21676 affects certain versions of the Linux kernel, specifically those using the fec_enet driver.

  • Is CVE-2025-21676 exploitable remotely?

    CVE-2025-21676 is not known to be remotely exploitable but could be leveraged in systems with local access to cause issues.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203