- Vulnerability/
- CVE-2025-21681
CVE-2025-21681
First published: Fri Jan 31 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix lockup on tx to unregistering netdev with carrier Commit in a fixes tag attempted to fix the issue in the following sequence of calls: do_output -> ovs_vport_send -> dev_queue_xmit -> __dev_queue_xmit -> netdev_core_pick_tx -> skb_tx_hash When device is unregistering, the 'dev->real_num_tx_queues' goes to zero and the 'while (unlikely(hash >= qcount))' loop inside the 'skb_tx_hash' becomes infinite, locking up the core forever. But unfortunately, checking just the carrier status is not enough to fix the issue, because some devices may still be in unregistering state while reporting carrier status OK. One example of such device is a net/dummy. It sets carrier ON on start, but it doesn't implement .ndo_stop to set the carrier off. And it makes sense, because dummy doesn't really have a carrier. Therefore, while this device is unregistering, it's still easy to hit the infinite loop in the skb_tx_hash() from the OVS datapath. There might be other drivers that do the same, but dummy by itself is important for the OVS ecosystem, because it is frequently used as a packet sink for tcpdump while debugging OVS deployments. And when the issue is hit, the only way to recover is to reboot. Fix that by also checking if the device is running. The running state is handled by the net core during unregistering, so it covers unregistering case better, and we don't really need to send packets to devices that are not running anyway. While only checking the running state might be enough, the carrier check is preserved. The running and the carrier states seem disjoined throughout the code and different drivers. And other core functions like __dev_direct_xmit() check both before attempting to transmit a packet. So, it seems safer to check both flags in OVS as well.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux kernel |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-21681?
CVE-2025-21681 has been classified with a moderate severity level due to its potential impact on system stability.
How do I fix CVE-2025-21681?
To address CVE-2025-21681, upgrade to the latest version of the Linux kernel that includes the fix for this vulnerability.
What systems are affected by CVE-2025-21681?
CVE-2025-21681 affects the Linux kernel, particularly those utilizing openvswitch functionalities.
What are the consequences of not fixing CVE-2025-21681?
Failure to resolve CVE-2025-21681 may lead to network disruptions and possible system lockups when unregistering network devices.
Is there a specific version of the Linux kernel that addresses CVE-2025-21681?
Yes, the fix for CVE-2025-21681 is included in the latest stable releases of the Linux kernel.
- collector/nvd-api
- source/NVD
- agent/type
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/author
- agent/source
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- vendor/linux
- canonical/linux kernel